Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
442.docx.exe

Overview

General Information

Sample name:442.docx.exe
renamed because original name is a hash value
Original sample name: .docx.exe
Analysis ID:1567177
MD5:fb8117b1a3f0924100fbc209dbbb1bb1
SHA1:9d18c954eae8e8f8437d4e32d0b685f3f51b982b
SHA256:beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
Infos:

Detection

RMSRemoteAdmin
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected RMS RemoteAdmin tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 442.docx.exe (PID: 5692 cmdline: "C:\Users\user\Desktop\442.docx.exe" MD5: FB8117B1A3F0924100FBC209DBBB1BB1)
    • msiexec.exe (PID: 4536 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • WINWORD.EXE (PID: 5780 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • msiexec.exe (PID: 760 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5068 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 684489E62C864DF5C283E9DB67C8FC1A MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • rfusclient.exe (PID: 7372 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi" MD5: CB9BE257064162076EBD4869CD97E166)
    • rutserv.exe (PID: 7492 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rutserv.exe (PID: 7692 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rutserv.exe (PID: 7832 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
  • svchost.exe (PID: 5736 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7188 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • rutserv.exe (PID: 7864 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rutserv.exe (PID: 7928 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
    • rfusclient.exe (PID: 7956 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" MD5: CB9BE257064162076EBD4869CD97E166)
      • rfusclient.exe (PID: 3136 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: CB9BE257064162076EBD4869CD97E166)
    • rfusclient.exe (PID: 7968 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: CB9BE257064162076EBD4869CD97E166)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
    C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
    • 0x3a1d58:$s1: rman_message
    • 0x453340:$s3: rms_host_
    • 0x453cf8:$s3: rms_host_
    • 0x816eb4:$s4: rman_av_capture_settings
    • 0x45a4c4:$s7: _rms_log.txt
    • 0x4bf3c8:$s8: rms_internet_id_settings
    C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
      C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
      • 0x39e594:$s1: rman_message
      • 0x46d594:$s3: rms_host_
      • 0x46df4c:$s3: rms_host_
      • 0x82acb0:$s4: rman_av_capture_settings
      • 0x877858:$s5: rman_registry_key
      • 0x8778a4:$s5: rman_registry_key
      • 0x543d6c:$s6: rms_system_information
      • 0x2f1a18:$s7: _rms_log.txt
      • 0x503238:$s8: rms_internet_id_settings

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000014.00000002.3309338966.0000000003858000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
        00000014.00000002.3320249204.0000000005420000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
          00000013.00000002.3304532933.000000000206A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
            0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
              00000013.00000002.3304532933.0000000002046000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
                Click to see the 7 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                12.0.rfusclient.exe.c70000.0.unpackJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
                  12.0.rfusclient.exe.c70000.0.unpackMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
                  • 0x3a1d58:$s1: rman_message
                  • 0x453340:$s3: rms_host_
                  • 0x453cf8:$s3: rms_host_
                  • 0x816eb4:$s4: rman_av_capture_settings
                  • 0x45a4c4:$s7: _rms_log.txt
                  • 0x4bf3c8:$s8: rms_internet_id_settings

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Double Extension File Execution
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\442.docx.exe", CommandLine: "C:\Users\user\Desktop\442.docx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\442.docx.exe, NewProcessName: C:\Users\user\Desktop\442.docx.exe, OriginalFileName: C:\Users\user\Desktop\442.docx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\442.docx.exe", ProcessId: 5692, ProcessName: 442.docx.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 111.90.147.125, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Initiated: true, ProcessId: 7864, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49804
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5736, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T08:47:38.233328+010028493541Malware Command and Control Activity Detected192.168.2.549803111.90.147.12580TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FC345A0 rmsEncInitSimpleEncryption,memcpy,memcpy,12_2_5FC345A0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FC33760 rmsEncEncryptData,12_2_5FC33760
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FC33D30 rmsEncRsaPrivateDecrypt,memcpy,memcpy,memcpy,12_2_5FC33D30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FC338C0 rmsEncDecryptData,12_2_5FC338C0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FC342D0 rmsEncRsaPrivateEncrypt,memcpy,memcpy,memcpy,12_2_5FC342D0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FC33AE0 rmsEncRsaPublicEncrypt,memcpy,12_2_5FC33AE0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FC34000 rmsEncRsaPublicDecrypt,memcpy,memcpy,memcpy,12_2_5FC34000
                  Source: rfusclient.exe, 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_0ea94acd-6

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeUnpacked PE file: 12.2.rfusclient.exe.c70000.0.unpack
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\ProgramData\Remote Manipulator System\install.log
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtfJump to behavior
                  Source: 442.docx.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 442.docx.exe, 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmp, 442.docx.exe, 00000000.00000000.2026361763.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmp
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Windows\System32\svchost.exeFile opened: c:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99B40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C99B40BC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C99CB190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99DFCA0 FindFirstFileExA,0_2_00007FF7C99DFCA0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi12_2_5FFF6B90
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi12_2_5FFF6AD0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then sub esp, 1Ch12_2_5FFFBEB0
                  Source: winword.exeMemory has grown: Private usage: 1MB later: 91MB

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2849354 - Severity 1 - ETPRO MALWARE Remote Admin Backdoor Related Activity : 192.168.2.5:49803 -> 111.90.147.125:80
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 111.90.147.125 ports 5651,1,465,5,6,55555,80
                  Source: global trafficTCP traffic: 192.168.2.5:49802 -> 111.90.147.125:5651
                  Source: global trafficTCP traffic: 192.168.2.5:49805 -> 78.138.9.142:5651
                  Source: global trafficTCP traffic: 192.168.2.5:49823 -> 95.213.205.83:5655
                  Source: global trafficTCP traffic: 192.168.2.5:49842 -> 109.234.156.179:5655
                  Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 78.138.9.142
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.147.125
                  Source: global trafficDNS traffic detected: DNS query: id72.internetid.ru
                  Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260648618.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127361397.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                  Source: svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                  Source: svchost.exe, 0000000B.00000003.2260648618.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                  Source: svchost.exe, 0000000B.00000002.3312868171.00000225E405D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3313054301.00000225E408B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                  Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicer
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/G
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
                  Source: rutserv.exe, 00000011.00000003.2981074132.0000000007264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlL
                  Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl
                  Source: rutserv.exe, 00000011.00000002.3360847258.00000000072C6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2980151820.00000000072CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl/
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
                  Source: rutserv.exe, 00000011.00000003.2979233935.000000000079E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlCo.
                  Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlN
                  Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlO
                  Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlP
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                  Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com:80/gsgccr45codesignca2020.crlw
                  Source: svchost.exe, 00000006.00000002.3315438918.00000150A4010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2360021197.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2444894768.00000225E392F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2318378237.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289527010.00000225E390E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: svchost.exe, 0000000B.00000003.2334351248.00000225E3977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd%
                  Source: svchost.exe, 0000000B.00000003.2260420296.00000225E390E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0
                  Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
                  Source: svchost.exe, 0000000B.00000003.2168247282.00000225E3955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
                  Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2360021197.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2288569554.00000225E3929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2318378237.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289527010.00000225E390E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
                  Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
                  Source: svchost.exe, 0000000B.00000003.2364814470.00000225E3978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
                  Source: svchost.exe, 0000000B.00000003.2168247282.00000225E3955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
                  Source: svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: svchost.exe, 0000000B.00000002.3311853387.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/22otificationses
                  Source: svchost.exe, 0000000B.00000002.3311853387.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-u
                  Source: svchost.exe, 00000006.00000003.2086757016.00000150A3EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2311900213.000000007B910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://madExcept.comU
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                  Source: rutserv.exe, 00000011.00000002.3303616204.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45http://crl.globalsign.com/codesigningrootr45.crl
                  Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020
                  Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2
                  Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCUABBTLuA3ygnKW%2F7xuSx%2F0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
                  Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020http://crl.globalsign.com/gsgccr45codesignca2020.cr
                  Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020t.n
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                  Source: rutserv.exe, 00000011.00000002.3303616204.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.000000000079E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr3http://crl.globalsign.com/root-r3.crlT/
                  Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru///rmansys.ru/
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru///rmansys.ru/;
                  Source: rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000002.3352551373.0000000004050000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3352551373.000000000413F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/internet-id/
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/nsys.ru/pf
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/pf
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/rd
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/eb-help/
                  Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rmansys.ru/web-help/eb-help/D
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                  Source: svchost.exe, 0000000B.00000003.2445114928.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                  Source: 442.docx.exe, 00000000.00000003.2051892599.000001B53872D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.c
                  Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2311900213.000000007B910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2288569554.00000225E3929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                  Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policye.srf
                  Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scerence
                  Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scst
                  Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee1
                  Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
                  Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustce
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                  Source: rutserv.exe, 00000011.00000002.3303616204.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
                  Source: rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt1.3.6.1.5.5.7.48.1http://ocsp.globalsi
                  Source: rutserv.exe, 00000011.00000002.3303616204.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crtv
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                  Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                  Source: rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://update.tektonit.ru/upgrade.ini
                  Source: rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://update.tektonit.ru/upgrade_beta.ini
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.flexerasoftware.com0
                  Source: rfusclient.exe, 0000000C.00000000.2170437757.00000000014CB000.00000020.00000001.01000000.0000000B.sdmp, rfusclient.exe, 0000000C.00000003.2185022388.0000000001B05000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000E.00000003.2243256163.0000000004255000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000003.2274258179.00000000041D5000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2343735575.0000000002645000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                  Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.inkscape.org/namespaces/inkscape
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E3077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E3077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                  Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/i
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125658502.00000225E3957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                  Source: rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                  Source: rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                  Source: rfusclient.exe, 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                  Source: svchost.exe, 00000006.00000003.2086757016.00000150A3F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                  Source: svchost.exe, 00000006.00000003.2086757016.00000150A3EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: rutserv.exe, 0000000E.00000002.2258557114.000000006025F000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://gcc.gnu.org/bugsrg/bugs/):
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.ecur
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live
                  Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3307156538.00000225E313C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                  Source: svchost.exe, 0000000B.00000003.2259782633.00000225E403D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExis
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExisrf?u
                  Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502logi
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600:Inl
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601ient
                  Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf%
                  Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfs
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfP
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3091000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312868171.00000225E405D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E308E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E30F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E30F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf-asc
                  Source: svchost.exe, 0000000B.00000002.3306275033.00000225E30F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfTs
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                  Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/pp
                  Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppse
                  Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                  Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsech
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfin.live.
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuera
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfManage
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf://acco
                  Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfice
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfleteAcc
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600gi
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                  Source: svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
                  Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfue
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                  Source: svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125658502.00000225E3957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125346792.00000225E395A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfteAc
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
                  Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                  Source: svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3313007133.00000225E407E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                  Source: svchost.exe, 0000000B.00000002.3313007133.00000225E407E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srfityCRL
                  Source: svchost.exe, 0000000B.00000002.3307156538.00000225E313C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comwwCP=
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.micr
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                  Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf%
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
                  Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
                  Source: svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
                  Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.micrtonl
                  Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logive.c
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C57C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST
                  Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access/
                  Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/
                  Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/O
                  Source: svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.remoteutilities.com/about/privacy-policy.php
                  Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.remoteutilities.com/buy/money-back-guarantee.php
                  Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.remoteutilities.com/support/docs/installing-and-uninstalling/
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7Jump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164Jump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BAJump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41CJump to dropped file

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99AC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C99AC2F0
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c8461.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8991.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8ADA.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c8464.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c8464.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A62E94087F64223B9812F11186592BA
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8991.tmpJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99AF9300_2_00007FF7C99AF930
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99B49280_2_00007FF7C99B4928
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99A5E240_2_00007FF7C99A5E24
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99CCE880_2_00007FF7C99CCE88
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C1F200_2_00007FF7C99C1F20
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99CB1900_2_00007FF7C99CB190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99BA4AC0_2_00007FF7C99BA4AC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C34840_2_00007FF7C99C3484
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D07540_2_00007FF7C99D0754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99A1AA40_2_00007FF7C99A1AA4
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C2AB00_2_00007FF7C99C2AB0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99E5AF80_2_00007FF7C99E5AF8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99B1A480_2_00007FF7C99B1A48
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99DFA940_2_00007FF7C99DFA94
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D89A00_2_00007FF7C99D89A0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C39640_2_00007FF7C99C3964
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99BC96C0_2_00007FF7C99BC96C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D8C1C0_2_00007FF7C99D8C1C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C4B980_2_00007FF7C99C4B98
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99BBB900_2_00007FF7C99BBB90
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99B5B600_2_00007FF7C99B5B60
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C8DF40_2_00007FF7C99C8DF4
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D07540_2_00007FF7C99D0754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C2D580_2_00007FF7C99C2D58
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99E20800_2_00007FF7C99E2080
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99BAF180_2_00007FF7C99BAF18
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99AA3100_2_00007FF7C99AA310
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99AC2F00_2_00007FF7C99AC2F0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99A72880_2_00007FF7C99A7288
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99B126C0_2_00007FF7C99B126C
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C21D00_2_00007FF7C99C21D0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99BF1800_2_00007FF7C99BF180
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C53F00_2_00007FF7C99C53F0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99A76C00_2_00007FF7C99A76C0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99E25500_2_00007FF7C99E2550
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99BB5340_2_00007FF7C99BB534
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99A48400_2_00007FF7C99A4840
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99DC8380_2_00007FF7C99DC838
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FFDCBD012_2_5FFDCBD0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_6009E26012_2_6009E260
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_6007708012_2_60077080
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FFE5AE012_2_5FFE5AE0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FCE685012_2_5FCE6850
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FFDD62012_2_5FFDD620
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FFDDC0012_2_5FFDDC00
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FFE580012_2_5FFE5800
                  Source: unires_vpd.dll.3.drStatic PE information: Resource name: None type: COM executable for DOS
                  Source: rutserv.exe.3.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: rfusclient.exe.3.drStatic PE information: Resource name: MAD type: DOS executable (COM, 0x8C-variant)
                  Source: rfusclient.exe.3.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: unidrvui_rppd.dll0.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: unires_vpd.dll0.3.drStatic PE information: Resource name: None type: COM executable for DOS
                  Source: rutserv.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: rfusclient.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: libcodec32.dll.3.drStatic PE information: Number of sections : 20 > 10
                  Source: libasset32.dll.3.drStatic PE information: Number of sections : 19 > 10
                  Source: unires_vpd.dll.3.drStatic PE information: No import functions for PE file found
                  Source: unires_vpd.dll0.3.drStatic PE information: No import functions for PE file found
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetAllUsers.dll< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
                  Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameISRegSvr.dll vs 442.docx.exe
                  Source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
                  Source: unires_vpd.dll.3.drStatic PE information: Section .rsrc
                  Source: unires_vpd.dll0.3.drStatic PE information: Section .rsrc
                  Source: classification engineClassification label: mal92.troj.evad.winEXE@28/328@1/5
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99AB6D8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF7C99AB6D8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99C8624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF7C99C8624
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - HostJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\OfficeJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSTray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: NULL
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\madExceptSettingsMtx$1eb8
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1ccc
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\HookTThread$1eb8
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\madExceptSettingsMtx$1ef8
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1f20
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSLocal
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e0c
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1f14
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d44
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e98
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1f20
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$c40
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1f14
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF1824809D33FF74D6.TMPJump to behavior
                  Source: 442.docx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\Desktop\442.docx.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: rfusclient.exeString found in binary or memory: ENGINESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3"
                  Source: rfusclient.exeString found in binary or memory: MODULESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules"
                  Source: rfusclient.exeString found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules
                  Source: rfusclient.exeString found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3
                  Source: C:\Users\user\Desktop\442.docx.exeFile read: C:\Users\user\Desktop\442.docx.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\442.docx.exe "C:\Users\user\Desktop\442.docx.exe"
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 684489E62C864DF5C283E9DB67C8FC1A
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                  Source: unknownProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 684489E62C864DF5C283E9DB67C8FC1AJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /startJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: mswsock.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptsp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: rsaenh.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: gpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptnet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winnsi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: webio.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: rasadhlp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winhttp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msasn1.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: oleacc.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: msimg32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_is2022.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_g18030.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: c_iscii.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\Desktop\442.docx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: Doc.LNK.4.drLNK file: ..\..\..\..\..\..\..\intel\Doc.docx
                  Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.iniJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                  Source: 442.docx.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: 442.docx.exeStatic file information: File size 25141051 > 1048576
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 442.docx.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 442.docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 442.docx.exe, 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmp, 442.docx.exe, 00000000.00000000.2026361763.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmp
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 442.docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeUnpacked PE file: 12.2.rfusclient.exe.c70000.0.unpack
                  Source: C:\Users\user\Desktop\442.docx.exeFile created: C:\intel\__tmp_rar_sfx_access_check_5012343Jump to behavior
                  Source: 442.docx.exeStatic PE information: section name: .didat
                  Source: 442.docx.exeStatic PE information: section name: _RDATA
                  Source: vp8encoder.dll.3.drStatic PE information: section name: .rodata
                  Source: vp8decoder.dll.3.drStatic PE information: section name: .rodata
                  Source: webmvorbisdecoder.dll.3.drStatic PE information: section name: _RDATA
                  Source: libasset32.dll.3.drStatic PE information: section name: /4
                  Source: libasset32.dll.3.drStatic PE information: section name: /14
                  Source: libasset32.dll.3.drStatic PE information: section name: /29
                  Source: libasset32.dll.3.drStatic PE information: section name: /41
                  Source: libasset32.dll.3.drStatic PE information: section name: /55
                  Source: libasset32.dll.3.drStatic PE information: section name: /67
                  Source: libasset32.dll.3.drStatic PE information: section name: /78
                  Source: libasset32.dll.3.drStatic PE information: section name: /94
                  Source: libasset32.dll.3.drStatic PE information: section name: /110
                  Source: eventmsg.dll.3.drStatic PE information: section name: .didata
                  Source: webmvorbisencoder.dll.3.drStatic PE information: section name: _RDATA
                  Source: libcodec32.dll.3.drStatic PE information: section name: .rodata
                  Source: libcodec32.dll.3.drStatic PE information: section name: /4
                  Source: libcodec32.dll.3.drStatic PE information: section name: /14
                  Source: libcodec32.dll.3.drStatic PE information: section name: /29
                  Source: libcodec32.dll.3.drStatic PE information: section name: /41
                  Source: libcodec32.dll.3.drStatic PE information: section name: /55
                  Source: libcodec32.dll.3.drStatic PE information: section name: /67
                  Source: libcodec32.dll.3.drStatic PE information: section name: /78
                  Source: libcodec32.dll.3.drStatic PE information: section name: /94
                  Source: libcodec32.dll.3.drStatic PE information: section name: /110
                  Source: vccorlib120.dll.3.drStatic PE information: section name: minATL
                  Source: rutserv.exe.3.drStatic PE information: section name: .didata
                  Source: rfusclient.exe.3.drStatic PE information: section name: .didata
                  Source: vccorlib120.dll0.3.drStatic PE information: section name: minATL
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99E5156 push rsi; retf 0_2_00007FF7C99E5157
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99E5166 push rsi; retf 0_2_00007FF7C99E5167
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 12_2_5FFF7E30 push eax; mov dword ptr [esp], esi12_2_5FFF7ED1
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeCode function: 17_2_0101C34B push ebx; ret 17_2_0101C354
                  Source: msvcr120.dll.3.drStatic PE information: section name: .text entropy: 6.95576372950548
                  Source: VPDAgent.exe.3.drStatic PE information: section name: .text entropy: 6.812931691200469
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8991.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8991.tmpJump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\ProgramData\Remote Manipulator System\install.log
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtfJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: docx.exeStatic PE information: 442.docx.exe
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                  Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer SecurityJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000E.00000002.2248570000.0000000002788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                  Source: rutserv.exe, 00000010.00000002.2364038786.00000000023F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEE
                  Source: rutserv.exe, 00000010.00000002.2364038786.00000000023F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEDJ
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeWindow / User API: threadDelayed 1366
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeWindow / User API: threadDelayed 5542
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeWindow / User API: threadDelayed 6034
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeWindow / User API: threadDelayed 3455
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8991.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-6229
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeAPI coverage: 5.8 %
                  Source: C:\Windows\System32\svchost.exe TID: 3568Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896Thread sleep count: 81 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896Thread sleep time: -81000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7924Thread sleep time: -50000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7944Thread sleep time: -35000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7988Thread sleep time: -240000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8008Thread sleep time: -60000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7964Thread sleep count: 1366 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8128Thread sleep time: -60000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 5036Thread sleep count: 45 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896Thread sleep count: 5542 > 30
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896Thread sleep time: -5542000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 7252Thread sleep time: -3017000s >= -30000s
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 7252Thread sleep time: -1727500s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99B40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C99B40BC
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C99CB190
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99DFCA0 FindFirstFileExA,0_2_00007FF7C99DFCA0
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D16A4 VirtualQuery,GetSystemInfo,0_2_00007FF7C99D16A4
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 50000
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 60000
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 60000
                  Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT*
                  Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTcpV6VMWare
                  Source: svchost.exe, 00000006.00000002.3315800908.00000150A4058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3305630779.00000225E30D7000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982524280.0000000007280000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.0000000007270000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3359972532.0000000007280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: svchost.exe, 00000006.00000002.3305641563.000001509EA2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                  Source: rfusclient.exe, 0000000C.00000002.2187015900.00000000019ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7C99D3170
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99E0D20 GetProcessHeap,0_2_00007FF7C99E0D20
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /startJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7C99D3170
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7C99D2510
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D3354 SetUnhandledExceptionFilter,0_2_00007FF7C99D3354
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7C99D76D8
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C99CB190
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\442.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewallJump to behavior
                  Source: rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSV
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99BDC70 cpuid 0_2_00007FF7C99BDC70
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF7C99CA2CC
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99D0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C99D0754
                  Source: C:\Users\user\Desktop\442.docx.exeCode function: 0_2_00007FF7C99B4EB0 GetVersionExW,0_2_00007FF7C99B4EB0
                  Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmpBinary or memory string: OLLYDBG.EXE
                  Source: rutserv.exe, 0000000E.00000002.2248570000.0000000002788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD BlobJump to behavior
                  Source: Yara matchFile source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000014.00000002.3309338966.0000000003858000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.3320249204.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.3304532933.000000000206A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.3304532933.0000000002046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.3309338966.000000000388A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.3320249204.0000000005464000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rfusclient.exe PID: 7372, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rutserv.exe PID: 7492, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rutserv.exe PID: 7864, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Replication Through Removable Media                  		1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		2
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts1
                  DLL Side-Loading                  		13
                  Obfuscated Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Extra Window Memory Injection                  		12
                  Software Packing                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
                  Process Injection                  		1
                  DLL Side-Loading                  		NTDS67
                  System Information Discovery                  		Distributed Component Object ModelInput Capture1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  File Deletion                  		LSA Secrets1
                  Query Registry                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Extra Window Memory Injection                  		Cached Domain Credentials241
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items122
                  Masquerading                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Modify Registry                  		Proc Filesystem121
                  Virtualization/Sandbox Evasion                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt121
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567177 Sample: 442.docx.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 92 49 main.internetid.ru 2->49 51 id72.internetid.ru 2->51 53 bg.microsoft.map.fastly.net 2->53 63 Suricata IDS alerts for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Detected unpacking (overwrites its own PE header) 2->67 69 4 other signatures 2->69 8 msiexec.exe 96 95 2->8         started        11 rutserv.exe 2->11         started        15 442.docx.exe 7 5 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 41 server_stop_27D787...EA10FB36BB4D2F9.exe, PE32 8->41 dropped 43 server_start_C0086...8A26292A601EBE2.exe, PE32 8->43 dropped 45 server_config_C8E9...5F92E4E3AE550F0.exe, PE32 8->45 dropped 47 41 other files (10 malicious) 8->47 dropped 19 rutserv.exe 8->19         started        22 rutserv.exe 8->22         started        24 rfusclient.exe 8->24         started        36 2 other processes 8->36 55 111.90.147.125, 465, 49802, 49803 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 11->55 57 78.138.9.142, 49805, 49807, 49862 SKYVISIONGB United Kingdom 11->57 61 2 other IPs or domains 11->61 77 Query firmware table information (likely to detect VMs) 11->77 26 rfusclient.exe 11->26         started        28 rutserv.exe 11->28         started        30 rfusclient.exe 11->30         started        32 WINWORD.EXE 141 460 15->32         started        34 msiexec.exe 15->34         started        59 127.0.0.1 unknown unknown 17->59 file6 signatures7 process8 signatures9 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->71 73 Query firmware table information (likely to detect VMs) 26->73 38 rfusclient.exe 26->38         started        process10 signatures11 75 Query firmware table information (likely to detect VMs) 38->75

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  No Antivirus matches

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll4%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll2%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll3%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll8%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe13%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe12%ReversingLabsWin32.Trojan.Generic
                  C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll0%ReversingLabs
                  C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll0%ReversingLabs
                  C:\Windows\Installer\MSI8991.tmp0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe0%ReversingLabs
                  C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  main.internetid.ru0%VirustotalBrowse
                  id72.internetid.ru0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://www.remoteutilities.com/support/docs/installing-and-uninstalling/0%Avira URL Cloudsafe
                  https://login.micr0%Avira URL Cloudsafe
                  http://rmansys.ru/pf0%Avira URL Cloudsafe
                  https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST0%Avira URL Cloudsafe
                  https://logive.c0%Avira URL Cloudsafe
                  http://rmansys.ru/nsys.ru/pf0%Avira URL Cloudsafe
                  https://www.remoteutilities.com/about/privacy-policy.php0%Avira URL Cloudsafe
                  http://rmansys.ru/web-help/0%Avira URL Cloudsafe
                  http://rmansys.ru/rd0%Avira URL Cloudsafe
                  http://rmansys.ru/web-help/eb-help/0%Avira URL Cloudsafe
                  https://rmansys.ru/remote-access//rmansys.ru/remote-access/O0%Avira URL Cloudsafe
                  https://login.micrtonl0%Avira URL Cloudsafe
                  https://www.remoteutilities.com/buy/money-back-guarantee.php0%Avira URL Cloudsafe
                  http://rmansys.ru///rmansys.ru/;0%Avira URL Cloudsafe
                  http://rmansys.ru///rmansys.ru/0%Avira URL Cloudsafe
                  http://rmansys.ru/web-help/eb-help/D0%Avira URL Cloudsafe
                  http://rmansys.ru/0%Avira URL Cloudsafe
                  https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST1%VirustotalBrowse
                  https://www.remoteutilities.com/support/docs/installing-and-uninstalling/0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    main.internetid.ru
                    		95.213.205.83
                    		truefalseunknown
                    prod.globalsign.map.fastly.net
                    		151.101.130.133
                    		truefalse
                      		high
                      id72.internetid.ru
                      		unknown
                      		unknownfalseunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.remoteutilities.com/support/docs/installing-and-uninstalling/rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://update.tektonit.ru/upgrade.inirutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmpfalse
                        		high
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0svchost.exe, 0000000B.00000003.2260420296.00000225E390E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2086757016.00000150A3EC0000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.microsoft.c442.docx.exe, 00000000.00000003.2051892599.000001B53872D000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.indyproject.org/rfusclient.exe, 0000000C.00000000.2170437757.00000000014CB000.00000020.00000001.01000000.0000000B.sdmp, rfusclient.exe, 0000000C.00000003.2185022388.0000000001B05000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000E.00000003.2243256163.0000000004255000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000003.2274258179.00000000041D5000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2343735575.0000000002645000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://rmansys.ru/internet-id/rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000002.3352551373.0000000004050000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3352551373.000000000413F000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://curl.se/docs/hsts.htmlrutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmpfalse
                                      		high
                                      https://login.micrsvchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdssvchost.exe, 0000000B.00000003.2364814470.00000225E3978000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/09/policye.srfsvchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.flexerasoftware.com0442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST442.docx.exe, 00000000.00000003.2038083286.000001B53C57C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • 1%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://Passport.NET/tb_svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3313054301.00000225E408B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://login.livesvchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=svchost.exe, 0000000B.00000003.2168247282.00000225E3955000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJsvchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://account.live.com/msangcwamsvchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125658502.00000225E3957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.w3.orsvchost.exe, 0000000B.00000002.3304526585.00000225E3077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.ver)svchost.exe, 00000006.00000002.3315438918.00000150A4010000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://passport.net/tbsvchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://rmansys.ru/pfrutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://curl.se/docs/alt-svc.htmlrutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                          		high
                                                                          https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.symauth.com/cps0(442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:svchost.exe, 0000000B.00000003.2168247282.00000225E3955000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://logive.csvchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtdrfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                  		high
                                                                                  http://www.symauth.com/rpa00442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessuesvchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://login.ecursvchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://rmansys.ru/nsys.ru/pfrutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.inkscape.org/namespaces/inkscaperfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                            		high
                                                                                            https://www.remoteutilities.com/about/privacy-policy.phprfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://rmansys.ru/web-help/rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://schemas.misvchost.exe, 0000000B.00000003.2445114928.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustcesvchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee1svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://madExcept.comUrfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2311900213.000000007B910000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2311900213.000000007B910000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://rmansys.ru/rdrutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://rmansys.ru/web-help/eb-help/rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://Passport.NET/STSsvchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260648618.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127361397.00000225E3952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/22otificationsessvchost.exe, 0000000B.00000002.3311853387.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.w3.svchost.exe, 0000000B.00000002.3304526585.00000225E3077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://gcc.gnu.org/bugsrg/bugs/):rutserv.exe, 0000000E.00000002.2258557114.000000006025F000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://login.microsoftonline.com/MSARST2.srf%svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://rmansys.ru/remote-access//rmansys.ru/remote-access/rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://rmansys.ru/remote-access//rmansys.ru/remote-access/Orutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://account.live.com/isvchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://login.micrtonlsvchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://Passport.NET/tbsvchost.exe, 0000000B.00000003.2260648618.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2360021197.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2288569554.00000225E3929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2318378237.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289527010.00000225E390E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMMsvchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://signup.live.com/signup.aspxsvchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.remoteutilities.com/buy/money-back-guarantee.phprfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://rmansys.ru///rmansys.ru/;rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://cacerts.digicerrutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://rmansys.ru///rmansys.ru/rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2288569554.00000225E3929000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://curl.se/docs/http-cookies.htmlrfusclient.exe, 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAAsvchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://update.tektonit.ru/upgrade_beta.inirutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/scstsvchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://rmansys.ru/web-help/eb-help/Drutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://g.live.com/odclientsettings/Prod/C:svchost.exe, 00000006.00000003.2086757016.00000150A3F33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd%svchost.exe, 0000000B.00000003.2334351248.00000225E3977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://docs.oasis-open.org/wss/2http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-usvchost.exe, 0000000B.00000002.3311853387.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://rmansys.ru/rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                                            		unknown

                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                            Public IPs

                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                            111.90.147.125
                                                                                                                                                                                            		unknownMalaysia
                                                                                                                                                                                            		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue
                                                                                                                                                                                            109.234.156.179
                                                                                                                                                                                            		unknownRussian Federation
                                                                                                                                                                                            		49505SELECTELRUfalse
                                                                                                                                                                                            78.138.9.142
                                                                                                                                                                                            		unknownUnited Kingdom
                                                                                                                                                                                            		8513SKYVISIONGBfalse
                                                                                                                                                                                            95.213.205.83
                                                                                                                                                                                            		main.internetid.ruRussian Federation
                                                                                                                                                                                            		50340SELECTEL-MSKRUfalse

                                                                                                                                                                                            Private

                                                                                                                                                                                            IP
                                                                                                                                                                                            127.0.0.1

                                                                                                                                                                                            General Information

                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                            Analysis ID:1567177
                                                                                                                                                                                            Start date and time:2024-12-03 08:46:15 +01:00
                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                            Overall analysis duration:0h 10m 7s
                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                            Report type:full
                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                            Number of analysed new started processes analysed:23
                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                            Technologies:
                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                            Sample name:442.docx.exe
                                                                                                                                                                                            renamed because original name is a hash value
                                                                                                                                                                                            Original Sample Name: .docx.exe
                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                            Classification:mal92.troj.evad.winEXE@28/328@1/5
                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                            • Successful, ratio: 83.3%
                                                                                                                                                                                            HCA Information:Failed
                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                            Warnings

                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.68.129, 52.113.194.132, 20.190.177.82, 20.190.177.83, 20.190.177.23, 20.190.147.4, 20.190.147.10, 20.190.177.146, 20.190.147.8, 20.190.147.0, 2.19.198.65, 23.32.238.121, 2.19.198.57, 23.32.238.113, 23.32.238.154, 2.19.198.41, 23.32.238.152, 52.111.252.15, 52.111.252.17, 52.111.252.16, 52.111.252.18, 23.218.208.109, 52.182.143.213, 2.17.100.216, 2.17.100.200, 2.17.100.210, 2.17.100.232, 2.17.100.152, 23.32.238.105, 23.32.238.128, 23.32.238.99, 23.32.238.129, 23.32.238.138, 23.32.238.115, 23.32.238.122, 23.32.238.98, 104.18.21.226, 104.18.20.226, 151.101.130.133
                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, a1847.dscg2.akamai.net, onedscolprdcus16.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, wu-b-net.trafficmanager.net, ecs.office.com, fs.microsoft.com, prod-inc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, www.tm.v4.a.prd.aadg.akadns.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, nleditor.osi.office.net, s-0005.s-msedge.net, metadata.templates.cdn.office.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, binaries.templates.cdn.office.net.edgesuite.net, cdn.globalsigncdn.com.cdn.cloudflare.net, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.ak
                                                                                                                                                                                            • Execution Graph export aborted for target rutserv.exe, PID 7492 because there are no executed function
                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                            Simulations

                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                            02:47:10API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                            02:47:32API Interceptor380619x Sleep call for process: rutserv.exe modified
                                                                                                                                                                                            02:47:38API Interceptor112613x Sleep call for process: rfusclient.exe modified

                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                            IPs

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            95.213.205.83ExeFile (206).exeGet hashmaliciousRMSRemoteAdmin, XmrigBrowse
                                                                                                                                                                                              winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                                                                                                                                winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse

                                                                                                                                                                                                  Domains

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  prod.globalsign.map.fastly.nethttps://e.letscompress.online/update.txtGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 151.101.130.133
                                                                                                                                                                                                  http://propdfhub.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 151.101.130.133
                                                                                                                                                                                                  Document-19-06-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                                                                                                  • 151.101.194.133
                                                                                                                                                                                                  goJ2miRnrv.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                  • 151.101.194.133
                                                                                                                                                                                                  goJ2miRnrv.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                  • 151.101.66.133
                                                                                                                                                                                                  https://www.pdfriend.com/pdfconverter?gad_source=5&gclid=EAIaIQobChMIwqGhsbi9iAMVO6uOCB1oKCEPEAEYASAAEgJbhfD_BwEGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 151.101.2.133
                                                                                                                                                                                                  http://ak43423ce23ks.com/qnbfinans/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 151.101.2.133
                                                                                                                                                                                                  SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                                                                                                                                                                                                  • 151.101.2.133
                                                                                                                                                                                                  https://firebasestorage.googleapis.com/v0/b/namo-426715.appspot.com/o/PqA45bE7me%2FForm_Ver-11-58-52.js?alt=media&token=dc88189e-81de-49e9-879e-365bc76e3567Get hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                                                                                  • 151.101.130.133
                                                                                                                                                                                                  Form_W-9_Ver-083_030913350-67084228u8857-460102.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                  • 151.101.130.133
                                                                                                                                                                                                  main.internetid.ruExeFile (206).exeGet hashmaliciousRMSRemoteAdmin, XmrigBrowse
                                                                                                                                                                                                  • 95.213.205.83
                                                                                                                                                                                                  winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                                                                                                                                  • 95.213.205.83
                                                                                                                                                                                                  winserv.exeGet hashmaliciousRMSRemoteAdmin, xRATBrowse
                                                                                                                                                                                                  • 95.213.205.83
                                                                                                                                                                                                  3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                  • 95.213.205.83
                                                                                                                                                                                                  bg.microsoft.map.fastly.netfile.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                  INTRUM65392.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                  Recent Services Delays Update.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                  invoice-6483728493.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                  PI-02911202409#.xlaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                  V-Mail.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                  file.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                  wait.dll.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                  zdi.txt.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                                                                                  • 199.232.210.172

                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  SKYVISIONGBla.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 83.229.59.112
                                                                                                                                                                                                  https://www.google.ml/url?fvg=1YI3fC8whlGPBCiMyiuQ&bhtBf=8EQhXbuMThqowIo0zyCX&sa=t&ndg=afydNw3nDHf9A6uq2MCH&url=amp%2Fiestpcanipaco.edu.pe%2F.r%2Fu1kOgE-SURELILYYWRhcnNoLm1hbGhvdHJhQGphdG8uY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 78.138.9.37
                                                                                                                                                                                                  arm4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 217.194.146.92
                                                                                                                                                                                                  la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 217.194.158.58
                                                                                                                                                                                                  shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                  • 83.229.19.82
                                                                                                                                                                                                  https://bread.nfpt.adfixagency.co.in/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 78.138.9.37
                                                                                                                                                                                                  https://bread1.nfpt.adfixagency.co.in/landingv2Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 78.138.9.37
                                                                                                                                                                                                  https://www.google.com/url?q=https://www.google.com/url?q%3DIrfT8NMLx6QPaJgv6Z3g%26rct%3DqsUbQmXhZ93d4gNXIWaR%26sa%3Dt%26esrc%3DEgJeLX8CAl11DNSW7pgH%26source%3D%26cd%3D9X3EYbyCMUoB46Jqpszn%26cad%3Dz64Ndl7J844jI5EH33et%26ved%3D36LRX1krI3rPMEZVSMU2%26uact%3D%2520%26url%3Damp%252Fsantanderconcepts%252Ecom%252F.lamb%252F&source=gmail&ust=1725986149001000&usg=AOvVaw1kdi6SPX1NGpGYFWhG_1Z7#NQvlKnUGFE-SURENICObWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 78.138.9.37
                                                                                                                                                                                                  payload_x86.ps1Get hashmaliciousMetasploitBrowse
                                                                                                                                                                                                  • 83.229.120.79
                                                                                                                                                                                                  Shipping document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                  • 83.229.122.241
                                                                                                                                                                                                  SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYVendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 101.99.75.104
                                                                                                                                                                                                  http://amz-account-unlock-dashboard4.duckdns.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 111.90.149.151
                                                                                                                                                                                                  https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 111.90.141.53
                                                                                                                                                                                                  Ssc Executed Docs#962297(Revised).docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 111.90.146.230
                                                                                                                                                                                                  amen.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 101.99.125.192
                                                                                                                                                                                                  botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                  • 124.217.225.17
                                                                                                                                                                                                  0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 111.90.140.76
                                                                                                                                                                                                  0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 111.90.140.76
                                                                                                                                                                                                  J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                  • 111.90.140.34
                                                                                                                                                                                                  J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                  • 111.90.140.34
                                                                                                                                                                                                  SELECTELRUnabppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 85.119.147.53
                                                                                                                                                                                                  6X4BIzTTBR.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                  • 176.113.115.37
                                                                                                                                                                                                  vwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                  • 176.113.115.37
                                                                                                                                                                                                  IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                  • 176.113.115.37
                                                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 176.113.115.177
                                                                                                                                                                                                  qlI3ReINCV.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                  • 176.113.115.215
                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                  • 176.113.115.203
                                                                                                                                                                                                  XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                  • 176.113.115.37
                                                                                                                                                                                                  0r9PL33C8E.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                  • 176.113.115.37
                                                                                                                                                                                                  Pw2KHOL9Z8.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                  • 176.113.115.37

                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJ4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                    J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                      SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                        SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                          044f.pdf.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                            3e#U043c.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                              3e#U043c.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                                GkLbUGixzx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                                  GkLbUGixzx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                                                                    3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exeGet hashmaliciousRMSRemoteAdminBrowse

                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                      C:\Config.Msi\4c8463.rbs

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                      Size (bytes):33259
                                                                                                                                                                                                                      Entropy (8bit):5.289535231253926
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:o5t4t4t+ZXTWBwp1KwUXciM01HuECHgCg4gcgblFl/Y3TY3s8:fCBwpswUXceHuECHgCg4gcgblFlA3U3j
                                                                                                                                                                                                                      MD5:FF11C839ABDDBD0E3DC73BA280650AB8
                                                                                                                                                                                                                      SHA1:12DAF274E6C96335F908033C8C365ACA271CF60F
                                                                                                                                                                                                                      SHA-256:04E9CF716E8342AFC1845194B6351377CBAF0B07F9206634C4D7FA5A47657C53
                                                                                                                                                                                                                      SHA-512:B6D507825A46F7759F536D004B1E7E5421CABC80BB09D17883C750117842E41E320E89A716D49DD9448AB482F83BAAE48BFC531F94C8AE02B880D5D3B145EEE2
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{77817ADF-D5EC-49C6-B987-6169BBD5345B} .Remote Manipulator System - Host..Word.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{134AA6F2-2A49-44F2-A7A5-B7B9233956FA}.....@.....@.....@.....@.......@.....@.....@.......@.... .Remote Manipulator System - Host......Rollback....B.:.0.B. .4.5.9.A.B.2.8.O.:...[1]..RollbackCleanup..#.4.0.;.5.=.8.5. .2.@.5.<.5.=.=.K.E. .D.0.9.;.>.2...$.0.9.;.:. .[.1.].....ProcessComponents"...1.=.>.2.;.5.=.8.5. .@.5.3.8.A.B.@.0.F.8.8. .:.>.<.?.>.=.5.=.B.>.2...&.{74F2505E-B20A-4AED-968F-AE5B278DB38A}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{182310A2-CD9E-4171-ACD1-3AEDD260A15F}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{3244CD

                                                                                                                                                                                                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):118
                                                                                                                                                                                                                      Entropy (8bit):3.5700810731231707
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                                                                                                                                                                                      MD5:573220372DA4ED487441611079B623CD
                                                                                                                                                                                                                      SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                                                                                                                                                                                      SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                                                                                                                                                                                      SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Rich Text Format data, version 1, ANSI, code page 1251, default middle east language ID 1025
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):140524
                                                                                                                                                                                                                      Entropy (8bit):4.705761523836363
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:wu3K4JDvJNJt2cGTXxl5loUWDTEhkClEgoKt9ai1IYdO5NVSUeDfydxqXJe2JNC0:wu93dN2OqrYZlKhIiSEGQ4wL
                                                                                                                                                                                                                      MD5:65B04B706AC06E31210F4FFB1E92994E
                                                                                                                                                                                                                      SHA1:B005637B3DE903CBD7960637D77FF993897C5A63
                                                                                                                                                                                                                      SHA-256:E9ACC22A02BC2148AE07EC7CBE741E6E1CBC90DE3856AAE8F32A31FB5C338566
                                                                                                                                                                                                                      SHA-512:5B708D069434A384738EFD5F4621F257FC79A7F5A32D8AE9C1D29E21EFE1EEB2C393EC67DA39714C0C73F2217B68091EE7196C72331838A0A7ECA872FAF09A09
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\f1\fbidi \fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset204\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 0204

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):15680
                                                                                                                                                                                                                      Entropy (8bit):6.579534230870796
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:XxgSABvdm4Yy3EA39QKoEp0Fm7qFAmL8x2fLWwsU7K6CYv7+C:Xx0FmW3Ea1KmexmMK6jr
                                                                                                                                                                                                                      MD5:C2F009D6317D1BA4E722938A1408478A
                                                                                                                                                                                                                      SHA1:66D702BC9FA98D1E7FE9BBC16AFF9AE711019E9B
                                                                                                                                                                                                                      SHA-256:6A8D4FB6F90B53D986B2AC6BF3BFCC56D6A54A2E8AF5670129566F5D344ED0FA
                                                                                                                                                                                                                      SHA-512:4D8060EC77EB9B95B57BC20AF2685064FA1E1FCC9403EFE95572C37D72ACD39B8005831EA0BAE95C365E945E50962B7FE1BFD964C5776D3E99CE5E474F726BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                      • Filename: J4zGPhVRV3.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: J4zGPhVRV3.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: 044f.pdf.scr, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: 3e#U043c.scr, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: 3e#U043c.scr, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: GkLbUGixzx.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: GkLbUGixzx.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: 3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3.j.]Oj.]Oj.]Og..Oh.]Og..Oh.]Og..Oy.]Og..Oh.]Oc..Oc.]Oj.\OY.]O..Ok.]Og..Ok.]O..Ok.]ORichj.]O........................PE..L......S..................................... ....@..........................`.......J....@.................................."..x....@..................@....P..|....!..8............................!..@............ ...............................text...2........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..|....P......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2673984
                                                                                                                                                                                                                      Entropy (8bit):6.865614554810881
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:BE8JxHX5r9sDQl7wDSMSFxvQ/qpyr0k0ha5XLDaDMPNw2x8pWTUKA76AeF8:BE8XHX5riUl7wDP6vQ/qpyr0kR5XLWDB
                                                                                                                                                                                                                      MD5:10CD2135C0C5D9D3E5A0A5B679F2FAAE
                                                                                                                                                                                                                      SHA1:A0617D8C6876F98B9A1819A71F2A56B965C1C75D
                                                                                                                                                                                                                      SHA-256:D7A97387505CA740AC88E85CAC3AA3CA73C666CC3BFD977C7E40B1D9D6CA6C12
                                                                                                                                                                                                                      SHA-512:6A1F81127FF26DCC235D7CE454E69F9A3784AC54BBC8486CB5022AAC47C2FB6003641A0F8AAFDD3B89812FE3C1C90569AD73C1C135687C042CE92C5DD2FFBDD8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............zz..zz..zz.M...zz.+...zz.+...zz.+...zz.+...zz.f...zz..zz..zz.f..Oxz..z{..{z......zz.f...zz..(...zz..z...zz.f...zz.Rich.zz.........PE..L...h3.\............................5u............@.......................... ).......(...@.................................<.&.......'.H.............(.@.....'..n..................................0:&.@............................................text...5........................... ..`.rdata..............................@..@.data...<.....&..d....&.............@....rsrc...H.....'......8'.............@..@.reloc...n....'..p...>'.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1110848
                                                                                                                                                                                                                      Entropy (8bit):6.491478844569486
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:TqSQS800orApz53PI2GVqH7kpf/V57GGcP6T5m+moXafzb:tQSX0oAtkpf/bfcyTTmoozb
                                                                                                                                                                                                                      MD5:AB3E77FC94445A18C9376F98CE10102F
                                                                                                                                                                                                                      SHA1:9424736FB3DB517C5584A14A482F84D81A671F8D
                                                                                                                                                                                                                      SHA-256:EEE325D9AC6A7B24B8ED3742110BD042803D6DA065F2E51153151E69D51CE4A3
                                                                                                                                                                                                                      SHA-512:454115C621434E98D39AEC605FCEB349C7AFB938B3E822F5950EE60E54FBFCB5CDBFE750015FE947C07FB991B4E966E535640343294D885ED2661353D3FD6EC9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........[.:..:..:....l.:....n.7:....o.:..d..:..d...:..d..:..u.V.:..?d...:..?d..:..?d..:..:..T:..?d..:..?d..:..:db.:..?d..:..Rich.:..........................PE..L......\...........!......................................................................@.............................|....&..d.......................@........l......p...............................@............................................text............................... ..`.rdata..p;.......<..................@..@.data...H;...@...*..................@....gfids..$............X..............@..@.rsrc................d..............@..@.reloc...l.......n...f..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):22848
                                                                                                                                                                                                                      Entropy (8bit):6.464002114523214
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:2+b57Gk7g+iy21oCiDuK9jkrtpgjKMpFmexmMK6j8qF2:7/210DuVrtsKM3ZxBKghF2
                                                                                                                                                                                                                      MD5:2DE35EAAE57A6BAA02D9E8ED0661F042
                                                                                                                                                                                                                      SHA1:82D14A58D5188F5B7606365BE0E3F968A8E81E93
                                                                                                                                                                                                                      SHA-256:BB43036D202D3DBD765A12D1C4C243E7AB8328FFC1941AEA838D8B1553700E64
                                                                                                                                                                                                                      SHA-512:02F1D530C1469431A94074A057FCE3FE60735D3B15DD767E8F39F29B702B98B061954063D83D5FA426D7684CC86359E87424F0CC54FFB0AC3F388AA7E48D6DE0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9Gf.}&.I}&.I}&.I;w.I|&.I;w.In&.I;w.Iy&.I;w.Iy&.It^.Ix&.I}&.I?&.I..I|&.Ipt.I|&.I}&.I|&.I..I|&.IRich}&.I................PE..L...k3.\.....................8......e".......0....@.......................................@.................................49..d....`..@............:..@....p......@1..8............................5..@............0...............................text...k........................... ..`.rdata..:....0......................@..@.data........@......................@....rsrc...@....`.......0..............@..@.reloc.......p.......6..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4005696
                                                                                                                                                                                                                      Entropy (8bit):6.809616089473951
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:98304:lbR+lDT6t58JcKdTG57M06POn9rvBAUZLM8FAK:FR+lDOt5kgFvVwmd
                                                                                                                                                                                                                      MD5:2C5987EA1E87A5C073B780F8102AE09C
                                                                                                                                                                                                                      SHA1:78DAA99D8C59A4A2E0D3B59E5427F854D8613080
                                                                                                                                                                                                                      SHA-256:22AC34380064C0FFEE59AD892CA4695E94EE8F97B78C18565251295817A784FE
                                                                                                                                                                                                                      SHA-512:7D6432960C5F3BEC27B13D06D4126C91A1DD7DD702DE97F1001855D8572BE68D6526F419BB58F5E5238E8E8F81C801BDAD8F351EF0AE75564835146F3DD3434D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.............3.......3.......3.............................fP8.............,......,.......,...Z...,.......).......,.......Rich....................PE..L......\...........!.....b"..0................"...............................=.....3.=...@.........................pA:......p:.d.....;...............=.@.....;.$.....6.p.....................6.....p.6.@.............".d............................text...9a"......b"................. ..`.rdata..(....."......f".............@..@.data.........:..j...f:.............@....gfids........;.......:.............@..@.tls..........;.......:.............@....rsrc.........;.......:.............@..@.reloc..$.....;.. ....:.............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):10134
                                                                                                                                                                                                                      Entropy (8bit):5.364629779133003
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                                                                                                                                      MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                                                                                                                                      SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                                                                                                                                      SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                                                                                                                                      SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):39744
                                                                                                                                                                                                                      Entropy (8bit):6.36744082696392
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:TkzqOI138e1y6JMKxTrAogoAoaP7+qFXYiLxjdQzUQ9LSk3E0gTSsn2TkhI3K0Jn:TLqokSaddQzUNk3EXSsn2Tk4ZZxBKgfP
                                                                                                                                                                                                                      MD5:9ED8BAA9DEC76C6AFAFC1C71193A0AE8
                                                                                                                                                                                                                      SHA1:843727F195BF194CFF3736B80FB5249713F1E116
                                                                                                                                                                                                                      SHA-256:CD2C60402D46C339147ADDF110C904F78A783F23106CCAD147EFA156175D66DE
                                                                                                                                                                                                                      SHA-512:40D85540176AB0170B7341D6A8A808FD351B35C6444D468E7707B35D2B2E8F3322DBF0BF31E0578E3A12E1A62B310DD7983B7EFB0F2C72D0C4104AEB0BBCEFF9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............b..b..b..3...b..3+..b..3*..b..3...b.Z....b...X..b..b..b.Z....b..0...b..b\..b.Z....b.Rich.b.................PE..L....3.\.................D...8.......I.......`....@.......................................@..................................s.......................|..@............b..8............................j..@............`...............................text....C.......D.................. ..`.rdata.......`... ...H..............@..@.data................h..............@....rsrc................l..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):179520
                                                                                                                                                                                                                      Entropy (8bit):5.239011393842513
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:+vQrKBVxKfGkHM5ZZ+HHJOWfuXO8zIJ1k9XHX8t0wk7UAjKQpmErUaDO3nG:3kjiTGD+JOWGT00XHXo0w+mErBO3G
                                                                                                                                                                                                                      MD5:FF197487BFE7E9D3396E0793B83811ED
                                                                                                                                                                                                                      SHA1:D92CA066B79DF28BF22BB051AEDFE10E4FA4A2A6
                                                                                                                                                                                                                      SHA-256:E6D0CA844514FDD105772E72C7C30D47099112AB68A4A5F9E4A2B28C0372A05A
                                                                                                                                                                                                                      SHA-512:33A13B0EE7E3DD038B35B5E4220278016397D003DCEECA56C3EE264608E053940AAFC09AE582C0FD67DFA919F38265883269F6C1A93E5BB9047B97F4A51CACCE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z............X.1....X......X.3....X........m......}....D3.........D.......5......y....D0....Rich...........................PE..L....3.\.................\..........8........p....@..........................0......T.....@.................................,5.......`..V...............@....... ....z..8...........................(...@............0..,............................text....[.......\.................. ..`.rdata...D...p...F...`..............@..@.data....l..........................@....idata...$...0...&..................@..@.rsrc...V....`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\rppd.lng

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):98650
                                                                                                                                                                                                                      Entropy (8bit):4.192473934109759
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                                                                                                                                      MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                                                                                                                                      SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                                                                                                                                      SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                                                                                                                                      SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):53056
                                                                                                                                                                                                                      Entropy (8bit):6.556803642202102
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:AqfYixknAt1kJSwlxeZQHPFtuEK+XLxSzELK4ZHZxBKgCu:8ixknqaxxeZ09tVr7xkyZ5ncu
                                                                                                                                                                                                                      MD5:A7A19BFD82EEAE7D4DC00144F3B949F4
                                                                                                                                                                                                                      SHA1:FBD6EF10A7D519386CB32B093AE7E42852BAECBD
                                                                                                                                                                                                                      SHA-256:A32A93B71A5628EDFC19FD31D26AC60DAF364E89CFDA2C82071718814042BE55
                                                                                                                                                                                                                      SHA-512:5AC0F6A0FDAAB8B832B0021948101ABD1C8AF8B79E0C02D60770DF22D945D669AE7D588BD3264F9991E11CBAB01A445AAC9B594B47171C68A6A7BDC3FBB8D962
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3..3..3..uO..1..uO.. ..uO,.7..uO..6..3..S..:fb.4.....1..>L*.2..3.f.2.../.2..Rich3..........................PE..L...j3.\.................v...:......Ez............@.................................Ul....@.................................t...x.......@...............@...............8..............................@...............|............................text....u.......v.................. ..`.rdata... ......."...z..............@..@.data...............................@....rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2772288
                                                                                                                                                                                                                      Entropy (8bit):6.917291195041145
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:UuZqJvz7GHYFVw8vfMVDpaLGtH3uSvQ/qpyr0kiU6HoCPLG5gzyUxChRebU:UuZqJvz7GHGVfvfMVDNNxvQ/qpyr0kpj
                                                                                                                                                                                                                      MD5:9FD469846E628F44A4147743875FFBC0
                                                                                                                                                                                                                      SHA1:6065C496D7C2695F3678D945FFA3FEFFBCD83C53
                                                                                                                                                                                                                      SHA-256:129C2D91F085E54FD9E333C6F580A16907A1D9659D823D6C7CB25F5D3CE55CC8
                                                                                                                                                                                                                      SHA-512:5AF5DD95BE604E039337D153CED2B9D3FE33F2E05818E3A222FDD9F7B3381197CCF3CA39324F46CA95B81DF76624F0EF4A0CF045195640E58B9A233D092F43AB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.&.1fH.1fH.1fH....8fH.w7..<fH.w7..<fH.w7..5fH.w7..6fH.8..$fH.1fI.^gH.1fH.&fH......dH......fH.....,fH.....0fH.<4..0fH.....0fH.Rich1fH.................PE..L...,..[...........!.........j......#......... ...............................*.....N.*...@.........................p.'..:..T.(.......)...............*.@.....).8|..0. .8............................8'.@............. .h............................text............................... ..`.rdata...-.... ....... .............@..@.data........@(..~...0(.............@....rsrc.........).......(.............@..@.reloc..8|....)..~....(.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2991424
                                                                                                                                                                                                                      Entropy (8bit):6.7900679594310915
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:kz1BQT/9rrcXgJoHt3LhNSTuHo6E7hVNO8B/3LUvQ/qpyr0kRZTKjEKMUP9isAxI:kz1BI5U3lNS6Ho6E7vBRIvQ/qpyr0kuF
                                                                                                                                                                                                                      MD5:829DD10CD377386A2040897F5288DDB0
                                                                                                                                                                                                                      SHA1:A7B1C7A6C0E1C9641750E8150EE810530FB67DD0
                                                                                                                                                                                                                      SHA-256:5753F66DBC480901955DE247117F3C1E99777B1A610C90931E50C374F8B1D888
                                                                                                                                                                                                                      SHA-512:C6B915EBF7B1C023FBB2E06FB169857539253CFA2B5B5C770DF5A43896AF8A0C847796E3F82C6109778F11D7FE3976DA172E1E0E6EACCD1C82DBAEB80ADAB4F5
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                      Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............j...j...j..V.u..j...;m..j...;R..j...;o..j...;S..j....!..j..}.o..j...j...j..}.R.3h..}.S..j.._4...j...j..Ah..}.W..j..}.n..j...8i..j...j%..j..}.l..j..Rich.j..........................PE..L....3.\..................!...........!......."...@...........................-.....;.....@...........................+.+.....+.......,.@.............-.@.....,..C...................................w+.@............."..............................text...g.!.......!................. ..`.rdata..$.....".......".............@..@.data....~....,..N....+.............@....rsrc...@.....,......<,.............@..@.reloc...C....,..D...B,.............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):660128
                                                                                                                                                                                                                      Entropy (8bit):6.339798513733826
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:N2fus43uu43Ry4GHlT4xH2K+M+/i+WSpY+7YOzCaK9A3gS2EKZm+GWodEEwnyh:muJzCaK9AB2EKZm+GWodEEwnyh
                                                                                                                                                                                                                      MD5:46060C35F697281BC5E7337AEE3722B1
                                                                                                                                                                                                                      SHA1:D0164C041707F297A73ABB9EA854111953E99CF1
                                                                                                                                                                                                                      SHA-256:2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
                                                                                                                                                                                                                      SHA-512:2CF2ED4D45C79A6E6CEBFA3D332710A97F5CF0251DC194EEC8C54EA0CB85762FD19822610021CCD6A6904E80AFAE1590A83AF1FA45152F28CA56D862A3473F0A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;..h..h..h..[h..h..h..h..Mh..hIAWh..h..Oh..h..qh..h..ph..h..uh..h..Lh..h..Kh..h..Nh..hRich..h................PE..d.....OR.........." .....@...................................................`......a.....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):963232
                                                                                                                                                                                                                      Entropy (8bit):6.634408584960502
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:FkZ+EUPoH5KTcAxt/qvRQdxQxO61kCS9mmWymzVPD:FkMAlM8ixQI5C6wl
                                                                                                                                                                                                                      MD5:9C861C079DD81762B6C54E37597B7712
                                                                                                                                                                                                                      SHA1:62CB65A1D79E2C5ADA0C7BFC04C18693567C90D0
                                                                                                                                                                                                                      SHA-256:AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
                                                                                                                                                                                                                      SHA-512:3AA770D6FBA8590FDCF5D263CB2B3D2FAE859E29D31AD482FBFBD700BCD602A013AC2568475999EF9FB06AE666D203D97F42181EC7344CBA023A8534FB13ACB7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ck.."..".."..D...".."..-"...s..$ ...s.."...s.."...s.. "...s.."...s.."...s.."..Rich."..........................PE..d.....OR.........." .....h...:.......)..............................................].....`.................................................@...(............@...s...t...>......8...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................^..............@..@.reloc..8............b..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Windows setup INFormation
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):9698
                                                                                                                                                                                                                      Entropy (8bit):3.8395767056459316
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:jxUPudWfG9sPEd5yVplXhzPGeQ6cGIDGzBs+2o5WcicJXoNaTXy:jyxFeGIDIFXoNT
                                                                                                                                                                                                                      MD5:6476F7217D9D6372361B9E49D701FB99
                                                                                                                                                                                                                      SHA1:E1155AB2ACC8A9C9B3C83D1E98F816B84B5E7E25
                                                                                                                                                                                                                      SHA-256:6135D3C9956A00C22615E53D66085DABBE2FBB93DF7B0CDF5C4F7F7B3829F58B
                                                                                                                                                                                                                      SHA-512:B27ABD8ED640A72424B662AE5C529CDDA845497DC8BD6B67B0B44AE9CDD5E849F627E1735108B2DF09DD6EF83AD1DE6FAA1AD7A6727B5D7A7985F92A92CA0779
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..............;. .N.T.P.R.I.N.T...I.N.F. .(.f.o.r. .W.i.n.d.o.w.s. .S.e.r.v.e.r. .2.0.0.3. .f.a.m.i.l.y.).....;.....;. .L.i.s.t. .o.f. .s.u.p.p.o.r.t.e.d. .p.r.i.n.t.e.r.s.,. .m.a.n.u.f.a.c.t.u.r.e.r.s.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....P.r.o.v.i.d.e.r.=.".M.i.c.r.o.s.o.f.t.".....C.l.a.s.s.G.U.I.D.=.{.4.D.3.6.E.9.7.9.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.=.P.r.i.n.t.e.r.....C.a.t.a.l.o.g.F.i.l.e.=.n.t.p.r.i.n.t...c.a.t.....D.r.i.v.e.r.I.s.o.l.a.t.i.o.n.=.2.....D.r.i.v.e.r.V.e.r.=.0.6./.2.1./.2.0.0.6.,.6...1...7.6.0.0...1.6.3.8.5.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....".M.i.c.r.o.s.o.f.t.".=.M.i.c.r.o.s.o.f.t.,.N.T.a.m.d.6.4.........[.M.i.c.r.o.s.o.f.t...N.T.a.m.d.6.4.].....".{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.". .=. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.,. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\printer.ico

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):10134
                                                                                                                                                                                                                      Entropy (8bit):5.364629779133003
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                                                                                                                                      MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                                                                                                                                      SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                                                                                                                                      SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                                                                                                                                      SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.gpd

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):17415
                                                                                                                                                                                                                      Entropy (8bit):4.618177193109944
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:U1EQCr2g2t2g2F2s2J2m2p2z2ZOgoNJUTIZah25Dy:3oLILwfcV86ZO3eTIZzy
                                                                                                                                                                                                                      MD5:8EE7FD65170ED9BD408E0C821171B62A
                                                                                                                                                                                                                      SHA1:9D14A87A049C3B576CEC4B28210F0C95B94E08E0
                                                                                                                                                                                                                      SHA-256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
                                                                                                                                                                                                                      SHA-512:5740AB3545D2217BA2156C58BA9AF6681D73116AB5DFBEAA5AB615D9CD0C77716C25865E67188E9D7892B340776755D4CBB1A3E98FAEAF8B6BB4B2CCA00D8AE6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:*GPDSpecVersion: "1.0"..*GPDFileVersion: "1.0"..*GPDFileName: "***.GPD"..*Include: "STDNAMES_VPD.GPD"..*ModelName: "****"..*MasterUnits: PAIR(40800, 117600)..*ResourceDLL: "UNIRES_VPD.DLL"..*PrinterType: PAGE..*MaxCopies: 99....*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }.. *Option: LANDSCAPE_CC270.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: AUTO...*Option: AUTO.. {.. *rcNameID: =AUTO_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "".. }.. }.. *Option: CASSETTE.. {.. *rcNameID:

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.ini

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):41
                                                                                                                                                                                                                      Entropy (8bit):4.479503224130278
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:z8ANyq3jII7Vc:z8cy2lc
                                                                                                                                                                                                                      MD5:035B163A3E4C308F617C05E0137FAFD0
                                                                                                                                                                                                                      SHA1:484238C9C05805F1CA5A97FA58950253B7F9FCBE
                                                                                                                                                                                                                      SHA-256:00CA9230DBAC7FF222CA837AA796496FF4B9B15E0552D3D5AD26B040E2BAB8D7
                                                                                                                                                                                                                      SHA-512:3EB65CF86C3C71944C8100F90C60604DB4EA69CB187F8E473601845EB4520148CF3779762EF997DC5C14FE8A2269B928448DDF0338A4F172C0460FA0D6F29798
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[OEMFiles] ..OEMConfigFile1=rppdui.dll ..

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):98650
                                                                                                                                                                                                                      Entropy (8bit):4.192473934109759
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                                                                                                                                      MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                                                                                                                                      SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                                                                                                                                      SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                                                                                                                                      SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):35648
                                                                                                                                                                                                                      Entropy (8bit):6.365966080243848
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:nE2YHORRn1SNBaiAL3X8jARHb2Os7fAK6ncZxBKg1xDo:E862HbPs7otEnzNo
                                                                                                                                                                                                                      MD5:68EA0EC529B7B9D3284D860F5ABD9BB4
                                                                                                                                                                                                                      SHA1:1A3951538D9E79F09792C8B118F010834A6C1273
                                                                                                                                                                                                                      SHA-256:EE963C5960F6687789004175C3DF0098331BEBBCE992BF9C73EF9EF6ED73C1E0
                                                                                                                                                                                                                      SHA-512:E62D2CFCA2433F4D647A5658141D63093D75491C60D1647F41FFDE74308BDF1A512DEBCC4A4535CE6FC9DE1ACB149D135D89366FE75FC9C52AA709C8887D7A28
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p.....................i'......i1......i6.........z....i!.............i ......i;..............i&......i#.....Rich............PE..d....4.\.........." .....V..........|P....................................................@..........................................d..W....[..................`....l..@........... ................................................................................text...'U.......V.................. ..`.data...4....p.......Z..............@....pdata..`............b..............@..@.rsrc................f..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):204096
                                                                                                                                                                                                                      Entropy (8bit):5.820956822859452
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:co2/UxSJBXgK5IsZsYMNV7jWCQQD9KdtvB1WOAahmRF:co284/XgGfbuYAKdf1WOAaO
                                                                                                                                                                                                                      MD5:126C2BCC9112266CE33F9835A1E44B9C
                                                                                                                                                                                                                      SHA1:B16C0D19797C7A0CC665BC8346ECF453234A83A4
                                                                                                                                                                                                                      SHA-256:2736C2919966D17F27A34D69A7253CD4C2D09C6F7CF9FC03597F27BC73C0BDC2
                                                                                                                                                                                                                      SHA-512:C25FC46CA2D8DAAD868FA2B5F1BA6CCAAC7F919C8C7CBB86952741B493D27E79EC8C7FD5F124A704B78F4197E6F3812D0FE0F64BC00117EE2AC09B41FAE85308
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................dD....\....c....^....b..........R.......5Zf...5Zb...5Z_....X........5Z]...Rich...........................PE..d....4.\.........." .................~....................................................`..........................................G..l...\H..........(.......<.......@...............................................p............................................text...-........................... ..`.rdata..Z...........................@..@.data...ph...`.......@..............@....pdata..<............X..............@..@.rsrc...(............n..............@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):102208
                                                                                                                                                                                                                      Entropy (8bit):6.071111727952987
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:8Fqz3IwGZjZ8lt0nt0NhuGO7o6LJ/TJhjYEOYULzEnr:MwYrZNQCnKhnOtthUEOYULzEr
                                                                                                                                                                                                                      MD5:CC0E2455CFF19B3585C9FA781428E88E
                                                                                                                                                                                                                      SHA1:93EC9326F0CEE4E7F385525B03DDF0DF89A409E8
                                                                                                                                                                                                                      SHA-256:AF24B7E339CC6B80ECF7B45050533E8227D6491EED2FD8C3FF2BF22406B027AA
                                                                                                                                                                                                                      SHA-512:B995CD999B36B9BD3DC8BE60A7576701CB91D18DF21934521C578047CD135C91F1027058198B1867A4D46804C0514523B370ECEC0E6691A041189011E31166A6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.."..."..."..+.l.."...st.."...sK.."...sv.."...sJ.."...Z8.."..."..."....N.."...pp.."..."<.."....u.."..Rich."..................PE..d...)4.\.........."............................@....................................R.....`..................................................[..........x............p..@...............8............................7..p...............P............................text...=........................... ..`.rdata...g.......h..................@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc................d..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):14366
                                                                                                                                                                                                                      Entropy (8bit):4.1817849062232195
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:NjThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:yFzOnS7z0
                                                                                                                                                                                                                      MD5:7162D8977515A446D2C1E139DA59DED5
                                                                                                                                                                                                                      SHA1:952F696C463B8410B1FA93A3B2B6DAE416A81867
                                                                                                                                                                                                                      SHA-256:2835A439C6AE22074BC3372491CB71E6C2B72D0C87AE3EEE6065C6CAADF1E5C8
                                                                                                                                                                                                                      SHA-512:508F7CA3D4BC298534AB058F182755851051684F8D53306011F03875804C95E427428BD425DD13633EEC79748BB64E78AAD43E75B70CC5A3F0F4E6696DBB6D8E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires_vpd.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):487232
                                                                                                                                                                                                                      Entropy (8bit):6.340203111317007
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:MgjhSyqP1a/eVqxFxNCAiG3XyJ/2TxbfsEkhy+0F+K8lJrZdwwSvr:MglSTPaRxFdLXyJ/ebEEkx0rqJduJ
                                                                                                                                                                                                                      MD5:AD6C433A57BE03EE0C75076D6FE99CD5
                                                                                                                                                                                                                      SHA1:219EE785F2C8127DAA44B298B5B2B096FCCE8D12
                                                                                                                                                                                                                      SHA-256:8A180D92A2C879A3384D24A38EC8C9FD6BFD183935E61DA0B97F1C67A7EC9EA7
                                                                                                                                                                                                                      SHA-512:041FB9165068D0EA879632B883B3E247336A3BB159ED46AE053B60D074A0BB231FA2DEEDD6CB2BA17AACB771413A86A3F970480AF7A2311E51702288D3B9A30E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................&.....7.......W.... .....0.....!.....:...d......'....."....Rich............................PE..d...w.[J.........." .........8......d..........t.....................................b....@..........................................4..........x....p.......@...(...P..@............!..8............................................0...............................text...O........................... ..`.rdata.......0......................@..@.data...x.... ......................@....pdata...(...@...*..................@..@.rsrc........p.......B..............@..@.reloc...............F..............@..B..[J@...+.[JK.....[JU.....[Jb...+.[JK.....[Jo.....[Jy...........msvcrt.dll.NTDLL.DLL.WINSPOOL.DRV.KERNEL32.dll.ole32.dll.GDI32.dll..............................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.hlp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):21225
                                                                                                                                                                                                                      Entropy (8bit):3.9923245636306675
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:g8qo9MqLEGX9WkaNWvbAsmrEGckkwy95/HLQdu:g8rMqLwkW8AsqEHkkwy7N
                                                                                                                                                                                                                      MD5:6798F64959C913673BD66CD4E47F4A65
                                                                                                                                                                                                                      SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                                                                                                                                                                                                                      SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                                                                                                                                                                                                                      SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):892224
                                                                                                                                                                                                                      Entropy (8bit):6.044434154548935
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:qpvsrQZu8F/bY6Pgx2B8UNG2Ql20gcwtH2qMP23so2:kZ5F/bYogxJUB9cwtHFMDp
                                                                                                                                                                                                                      MD5:BB98224B0CB6F17D61AA24D7A46A08C5
                                                                                                                                                                                                                      SHA1:DB78D1161EAA0C691DF76D1B6D7CC98793007BCE
                                                                                                                                                                                                                      SHA-256:23A30F94360D710BB020DF76E7846AB991EDD6CA3C7F685AECF6CD1A019D451A
                                                                                                                                                                                                                      SHA-512:D74291E8556911B77588D63EB20DB5D6642C31FEDD9EE186AE62D53C705F0CDBE14725ECBB8FC5FE770F45DFF05731EEBB2063A33BB78DF70B73CDCF4E86C465
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y'..I...I...I..`...I..`...I...H.R.I..`...I..`...I..`...I..`...I...7...I..`...I..`...I.Rich..I.................PE..d.....[J.........." .....$...V.................v....................................O.....@........................................../..{.... .................../...~..@...........`...................................................0............................text...[".......$.................. ..`.data....5...@...0...(..............@....pdata.../.......0...X..............@..@.rsrc...............................@..@.reloc..0............j..............@..B..[J`...+.[Jk...5.[Ju.....[J......[J......[J....+.[Jk.....[J......[J......[J......[J............msvcrt.dll.NTDLL.DLL.RPCRT4.dll.ole32.dll.USER32.dll.KERNEL32.dll.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll...............................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):770368
                                                                                                                                                                                                                      Entropy (8bit):5.630939020655746
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:+kozBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinLd:SzBEGbL4Np84TQazCSiRd
                                                                                                                                                                                                                      MD5:A0D2853BE8043F5FC4FEE04CFE5A8293
                                                                                                                                                                                                                      SHA1:4FDF21E578739ABB4BCC938568F27897E733E229
                                                                                                                                                                                                                      SHA-256:1D8C77B674F8294DB39B2CDE2873BDE5A2F6EBD65E14CAEEB58FBA94C92C1F3D
                                                                                                                                                                                                                      SHA-512:FC5CE23DF55EF277D6DB898D5620697A3A061A5DD9BE63145CE71B966905CAC41B9785121709A2A0DCF8F90B76F484FAB619EB8DB40A873A867468ECF1620F99
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d.....[J.........." ..........................@...........................................@.............................................................0...............@............................................................................................rsrc...............................@..@........................................0...8.......P.......................@...........................................r.......s...x...t...8...u.......v.......w...0...x.......y...........(...............................X.......(...............................h...............P....................................................................................................... .......8.......P.......h............................................................................................... .......0...

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):356528
                                                                                                                                                                                                                      Entropy (8bit):5.917051105867173
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:0g5dgFfqaKFJyHrByeUIRAHq0KzS9OAgfVgYCDlSv:0OdcUIRAHqAeX0a
                                                                                                                                                                                                                      MD5:BDD8AE768DBF3E6C65D741CB3880B8A7
                                                                                                                                                                                                                      SHA1:91B01FD48A586822C1D81CA80B950F8639CCE78C
                                                                                                                                                                                                                      SHA-256:602ADD77CBD807D02306DE1D0179CB71A908EECB11677116FC206A7E714AB6D6
                                                                                                                                                                                                                      SHA-512:7840554A66F033E556CF02772B8B3749C593657CA254E0F2DBD93B05F4600E11BA821EBA8FC038115C038B5E5AF2F8D2CF0A5AE1F1362E813CF0B5041BBBFF94
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.@.'.@.'.@....!.@.a...#.@.....&.@.a...%.@.a...*.@.a.../.@..P.. .@.'.A.T.@.a...6.@.a...&.@.a...&.@.a...&.@.Rich'.@.........PE..d...}.OR.........." .....n...........L...................................................`..............................................>...D.......P..........."...2...>...`......................................`...p............................................text....l.......n.................. ..`.rdata...............r..............@..@.data...x....`.......F..............@....pdata...".......$..................@..@minATL.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):455328
                                                                                                                                                                                                                      Entropy (8bit):6.698367093574994
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
                                                                                                                                                                                                                      MD5:FD5CABBE52272BD76007B68186EBAF00
                                                                                                                                                                                                                      SHA1:EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
                                                                                                                                                                                                                      SHA-256:87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
                                                                                                                                                                                                                      SHA-512:1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N*.Nm.gN*.Nm.bN*.NRich+.N........................PE..L....|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):970912
                                                                                                                                                                                                                      Entropy (8bit):6.9649735952029515
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                                                                                                      MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                                                                                                      SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                                                                                                      SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                                                                                                      SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Windows setup INFormation
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):9698
                                                                                                                                                                                                                      Entropy (8bit):3.8395767056459316
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:jxUPudWfG9sPEd5yVplXhzPGeQ6cGIDGzBs+2o5WcicJXoNaTXy:jyxFeGIDIFXoNT
                                                                                                                                                                                                                      MD5:6476F7217D9D6372361B9E49D701FB99
                                                                                                                                                                                                                      SHA1:E1155AB2ACC8A9C9B3C83D1E98F816B84B5E7E25
                                                                                                                                                                                                                      SHA-256:6135D3C9956A00C22615E53D66085DABBE2FBB93DF7B0CDF5C4F7F7B3829F58B
                                                                                                                                                                                                                      SHA-512:B27ABD8ED640A72424B662AE5C529CDDA845497DC8BD6B67B0B44AE9CDD5E849F627E1735108B2DF09DD6EF83AD1DE6FAA1AD7A6727B5D7A7985F92A92CA0779
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..............;. .N.T.P.R.I.N.T...I.N.F. .(.f.o.r. .W.i.n.d.o.w.s. .S.e.r.v.e.r. .2.0.0.3. .f.a.m.i.l.y.).....;.....;. .L.i.s.t. .o.f. .s.u.p.p.o.r.t.e.d. .p.r.i.n.t.e.r.s.,. .m.a.n.u.f.a.c.t.u.r.e.r.s.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....P.r.o.v.i.d.e.r.=.".M.i.c.r.o.s.o.f.t.".....C.l.a.s.s.G.U.I.D.=.{.4.D.3.6.E.9.7.9.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.=.P.r.i.n.t.e.r.....C.a.t.a.l.o.g.F.i.l.e.=.n.t.p.r.i.n.t...c.a.t.....D.r.i.v.e.r.I.s.o.l.a.t.i.o.n.=.2.....D.r.i.v.e.r.V.e.r.=.0.6./.2.1./.2.0.0.6.,.6...1...7.6.0.0...1.6.3.8.5.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....".M.i.c.r.o.s.o.f.t.".=.M.i.c.r.o.s.o.f.t.,.N.T.a.m.d.6.4.........[.M.i.c.r.o.s.o.f.t...N.T.a.m.d.6.4.].....".{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.". .=. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.,. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\printer.ico

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):10134
                                                                                                                                                                                                                      Entropy (8bit):5.364629779133003
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:75LkqDCmLVf89uqywWrvNCB4isySOc3AOv2B+YT1/44tuU+3:1OmLVf4dErvNCB5tSOc3AY2BP944g
                                                                                                                                                                                                                      MD5:6F70BD62A17EC5B677EC1129F594EE6F
                                                                                                                                                                                                                      SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                                                                                                                                                                                                                      SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                                                                                                                                                                                                                      SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.gpd

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):17415
                                                                                                                                                                                                                      Entropy (8bit):4.618177193109944
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:U1EQCr2g2t2g2F2s2J2m2p2z2ZOgoNJUTIZah25Dy:3oLILwfcV86ZO3eTIZzy
                                                                                                                                                                                                                      MD5:8EE7FD65170ED9BD408E0C821171B62A
                                                                                                                                                                                                                      SHA1:9D14A87A049C3B576CEC4B28210F0C95B94E08E0
                                                                                                                                                                                                                      SHA-256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
                                                                                                                                                                                                                      SHA-512:5740AB3545D2217BA2156C58BA9AF6681D73116AB5DFBEAA5AB615D9CD0C77716C25865E67188E9D7892B340776755D4CBB1A3E98FAEAF8B6BB4B2CCA00D8AE6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:*GPDSpecVersion: "1.0"..*GPDFileVersion: "1.0"..*GPDFileName: "***.GPD"..*Include: "STDNAMES_VPD.GPD"..*ModelName: "****"..*MasterUnits: PAIR(40800, 117600)..*ResourceDLL: "UNIRES_VPD.DLL"..*PrinterType: PAGE..*MaxCopies: 99....*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }.. *Option: LANDSCAPE_CC270.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: AUTO...*Option: AUTO.. {.. *rcNameID: =AUTO_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "".. }.. }.. *Option: CASSETTE.. {.. *rcNameID:

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):41
                                                                                                                                                                                                                      Entropy (8bit):4.479503224130278
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:z8ANyq3jII7Vc:z8cy2lc
                                                                                                                                                                                                                      MD5:035B163A3E4C308F617C05E0137FAFD0
                                                                                                                                                                                                                      SHA1:484238C9C05805F1CA5A97FA58950253B7F9FCBE
                                                                                                                                                                                                                      SHA-256:00CA9230DBAC7FF222CA837AA796496FF4B9B15E0552D3D5AD26B040E2BAB8D7
                                                                                                                                                                                                                      SHA-512:3EB65CF86C3C71944C8100F90C60604DB4EA69CB187F8E473601845EB4520148CF3779762EF997DC5C14FE8A2269B928448DDF0338A4F172C0460FA0D6F29798
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[OEMFiles] ..OEMConfigFile1=rppdui.dll ..

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.lng

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):98650
                                                                                                                                                                                                                      Entropy (8bit):4.192473934109759
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:5rENOwVRq6rZmor3CmRxhESLGZ0s1JP2PY6rZIshvwmE2uJJ6rZqDJK1YRo6rZGx:S9miFao0WDn
                                                                                                                                                                                                                      MD5:1614E6CDF119FD284D476F7E6723B3AD
                                                                                                                                                                                                                      SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                                                                                                                                                                                                                      SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                                                                                                                                                                                                                      SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):33600
                                                                                                                                                                                                                      Entropy (8bit):6.281064018328684
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:az2vV5RqtDcvnyQW7I+Ud26uiGKjzAVQjXzPishb8pe+7mNwSumexmMK6jcy:hgo7WcDGuB3Upe2m9uZxBKg3
                                                                                                                                                                                                                      MD5:BED53AB8B9E406D1A8D6A85924E44282
                                                                                                                                                                                                                      SHA1:19628BD3DE2BEF0EDC3622E4A7184162BD979040
                                                                                                                                                                                                                      SHA-256:E5A10A74CFC36A4DCFCC9B25573B92A37B55062153EF9120B93154DB5792B3DA
                                                                                                                                                                                                                      SHA-512:6F5C6945B0A982E8C94A826685158286D16173F51B10FDF1F5B9F4F93562240736A09B5F0997E995C0AF07360BACD51FA46CB8E4A3FA319519F3727FF87613E7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pZ.Y4;..4;..4;...4..:;..=C'.<;..=C6.9;..4;...;..=C!.7;..=C .5;..=C1.q;......5;..=C&.5;..=C#.5;..Rich4;..........PE..L...,4.\...........!.....F...........D.......`......................................a.....@.........................pU..W....M.......p...............d..@...........................................(...@...............t............................text....E.......F.................. ..`.data...\....`.......J..............@....rsrc........p.......P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):159552
                                                                                                                                                                                                                      Entropy (8bit):6.178643199247813
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:VYM7lLXShoSAJzKb9P+K61JJBsJgTcqTIbMNZ3mo+aGh1G:77tK+K61vBsJKcq0bMNZPXP
                                                                                                                                                                                                                      MD5:F0A9D47D76E68883F04E60599EADAE6D
                                                                                                                                                                                                                      SHA1:8F7BB6B9E9CB70529FA4C442ABF507A2F546E6E3
                                                                                                                                                                                                                      SHA-256:2FAB0969C6E131834496428779A0809B97981F3E8D6FBF8A59632CB2DF783687
                                                                                                                                                                                                                      SHA-512:18BBD1A3899C6B2F361BFA575D50D7DA29EAEF0E1C7CB50B318CECFE3150F268C1CDF30FEB5246B9F9B5D7FE36BD4A268E06595D9D3F3D86D933F14F5C43AD43
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\.q.\.q.\.q..h..].q....._.q.....P.q.....X.q.....T.q.U...].q.\.p..q.U...K.q..V..V.q..V..D.q..V..].q.Q...].q.\...].q..V..].q.Rich\.q.........PE..L....3.\...........!.....L...N.......0.......`......................................k.....@.........................P...l...............(............P..@.......< ...................................z..@............`...............................text....J.......L.................. ..`.rdata...B...`...D...P..............@..@.data....\..........................@....rsrc...(...........................@..@.reloc..< ......."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):87360
                                                                                                                                                                                                                      Entropy (8bit):6.424955012685773
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:df1NQOOvFdve0e0ZIMhn9nA2LYK7ZOgkg6znnLnx9Inz1:/Adve07RnlhRN6znDQx
                                                                                                                                                                                                                      MD5:66C5F108A058B515BBDDE628384990C9
                                                                                                                                                                                                                      SHA1:0FBADFC5106056DFD269DF5EA532F69556CAE68F
                                                                                                                                                                                                                      SHA-256:8D596D33CC3962B33B46D361BBC44A8088F18C09949734F3DEC54828372426AE
                                                                                                                                                                                                                      SHA-512:6060EF07244385516989DF3AAD1C01E9F93B7B45A247D8D70FC5BE7A62BA96BFD22F80F0C78D178443D38796A2C7148CD3ADF4EB1A5FC430DFF5BB393492901E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G..&...&...&....^..&...wF..&...wy..&...wD..&...wx..&...^...&...&..0&..$.|..&...tB..&...&...&..$.G..&..Rich.&..........PE..L...$4.\.....................n....................@..........................p.......C....@.................................d........@..x............6..@....P..........8...........................P...@............................................text............................... ..`.rdata...F.......H..................@..@.data...p....0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):14366
                                                                                                                                                                                                                      Entropy (8bit):4.1817849062232195
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:NjThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:yFzOnS7z0
                                                                                                                                                                                                                      MD5:7162D8977515A446D2C1E139DA59DED5
                                                                                                                                                                                                                      SHA1:952F696C463B8410B1FA93A3B2B6DAE416A81867
                                                                                                                                                                                                                      SHA-256:2835A439C6AE22074BC3372491CB71E6C2B72D0C87AE3EEE6065C6CAADF1E5C8
                                                                                                                                                                                                                      SHA-512:508F7CA3D4BC298534AB058F182755851051684F8D53306011F03875804C95E427428BD425DD13633EEC79748BB64E78AAD43E75B70CC5A3F0F4E6696DBB6D8E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires_vpd.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):383296
                                                                                                                                                                                                                      Entropy (8bit):6.650287803080611
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:yplBo/TK5C+psQzJzCSX6hjg+4GRr3CoA7f3j5G+hinZ5P31uGX7Zum8oyk7lATI:O0/djgEUhWnJ2UlxqOttoICvPn/318Sm
                                                                                                                                                                                                                      MD5:C3F39388BD4E6763F9734BC617388A17
                                                                                                                                                                                                                      SHA1:AF5B4753F99C3F115294662876D7191DC8652786
                                                                                                                                                                                                                      SHA-256:4D1F6A595889165B6A14B68D848C639748C9750C165BB4515CA3C3C67B4BA462
                                                                                                                                                                                                                      SHA-512:BD8D00461E65F156686B0FC799926897845900F072F7AC10B66387E041CC7D3810ADBFB0137E9EA7B24995A11D324707D9E0FCD699D36E62ED089F46CC5ABA58
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3g..3g..3g..:.;.4g..3g...g..:.=.8g..:.<.2g..:.-..g..:.*.sg.....2g..:.:.2g..:.?.2g..Rich3g..........................PE..L...$.[J...........!................-..............m................................Z!....@....................................x.......................@...............8............................t..@.......|.......`............................text...k........................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..Bo.[J8...K.[JC.....[JP.....[J].....[Jg.....[Jq...........msvcrt.dll.WINSPOOL.DRV.KERNEL32.dll.NTDLL.DLL.ole32.dll.GDI32.dll..............................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):21225
                                                                                                                                                                                                                      Entropy (8bit):3.9923245636306675
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:g8qo9MqLEGX9WkaNWvbAsmrEGckkwy95/HLQdu:g8rMqLwkW8AsqEHkkwy7N
                                                                                                                                                                                                                      MD5:6798F64959C913673BD66CD4E47F4A65
                                                                                                                                                                                                                      SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                                                                                                                                                                                                                      SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                                                                                                                                                                                                                      SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):755520
                                                                                                                                                                                                                      Entropy (8bit):6.198681499104638
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:IlIoM3g2e9Bg7Lg3yfKDPc97QpAxuKdwSGnZGxn:IvM36KkyCLW7QCwSGon
                                                                                                                                                                                                                      MD5:0822EE0FF996BEB2B31EBBDD6449231B
                                                                                                                                                                                                                      SHA1:7DF7F4978F3C4728CAEF9F95C6EB6C0D8CF8FDAC
                                                                                                                                                                                                                      SHA-256:D727150FA7853748655E9CAA9F19F633E33BD191284703D6609984A64CB39CAB
                                                                                                                                                                                                                      SHA-512:A47D25901FAD0507167E241350EC12C8D545F3F932E1B44E5F167A82263BCB97DA06B09454E8DE815EFC445088F2B1011028C3EAE5BF3F55FACAA3D9EC082815
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..wf..$f..$f..$o.%$n..$f..$...$o.#$u..$o.3$8..$o."$g..$o.4$...$AZ.$g..$o.$$g..$o.!$g..$Richf..$................PE..L......L...........!.....2...2......e........@....(p.....................................@.............................{....3.......p...............h..@....`...0...@..8...............................@............................................text...E1.......2.................. ..`.data........P.......6..............@....rsrc........p.......T..............@..@.reloc...0...`...2...6..............@..B..LX......Lc...o..Ln...&..Lx.....L....n..L....%..L....K..L.......L....r..L............msvcrt.dll.RPCRT4.dll.ole32.dll.USER32.dll.KERNEL32.dll.NTDLL.DLL.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll.......................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):770368
                                                                                                                                                                                                                      Entropy (8bit):5.629918098777896
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:tkoGBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinLC:LGBEGbL4Np84TQazCSiRC
                                                                                                                                                                                                                      MD5:385152D096A96D1966C1042EDE38114F
                                                                                                                                                                                                                      SHA1:A42D0587A2BF156C3F757778397A2E7AC8122E3C
                                                                                                                                                                                                                      SHA-256:5A22FE5AF587540A9840E4F2A515564A2478DDA47AC1C81B687AC2F59C4C2FD0
                                                                                                                                                                                                                      SHA-512:483E8819C6C5C1BCF725A4D6513364A5EE054E1D9100A8F42FFD2DBBFD52910CCA8E6DAF4435103C75AA2EBCA5A608BCC76EE6C531EA67C723267D9445D40256
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..L......L...........!..............................@.......................................@............................................................@............................................................................................rsrc...............................@..@........................................................0...8.......P.......................@...........................................r.......s...x...t...8...u.......v.......w...0...x.......y...........(...............................X.......(...............................h...............P....................................................................................................... .......8.......P.......h............................................................................................... .......0...

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):247984
                                                                                                                                                                                                                      Entropy (8bit):6.601853231729306
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:+SsS5fv6EATwqlGwyfDyodYI3ZubfW5nb2PQuW0x:+I5fv6EATwqlGwyfDyodYI3Zv1C
                                                                                                                                                                                                                      MD5:69837E50C50561A083A72A5F8EA1F6A2
                                                                                                                                                                                                                      SHA1:1A4B4C6C3CB6A5164CC1018AC72D0300455B3D8F
                                                                                                                                                                                                                      SHA-256:9C9D4E421C55F7EF4E455E75B58A6639428CCD75C76E5717F448AFE4C21C52BC
                                                                                                                                                                                                                      SHA-512:FD20C6B4EEC972C775681AD7322769D5074108D730727051EF77D779A277D77B12419E1FEE1E2EC0CF376A235573A85AD37975245DBF078DE467953AFD02164A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0p..Q..Q..Q..)..Q......Q......Q......Q......Q..P...Q..Q...Q......Q......Q......Q......Q..Rich.Q..........PE..L....OR.........."!.................4...............................................:....@.............................e=...A.......`...................>...p...R..0................................/..@............@...............................text............................... ..`.data...xp.......n..................@....idata.......@......."..............@..@minATL.......P.......0..............@..@.rsrc........`.......2..............@..@.reloc...R...p...T...6..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):52312
                                                                                                                                                                                                                      Entropy (8bit):6.450469916547452
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:MsmrWdCS5PvBHOUYTKJgr0OMpqdBwFrGjYBZyIh9rOQ:Mza/pu/TKJ/OMpTryYzyMCQ
                                                                                                                                                                                                                      MD5:4E84DF6558C385BC781CDDEA34C9FBA3
                                                                                                                                                                                                                      SHA1:6D63D87C19C11BDBFA484A5835FFFFD7647296C8
                                                                                                                                                                                                                      SHA-256:0526073F28A3B5999528BFA0E680D668922499124F783F02C52A3B25C367EF6D
                                                                                                                                                                                                                      SHA-512:C35DA0744568BFFFEFF09E6590D059E91E5D380C5FEB3A0FBC5B19477CECA007A882884A7033345CE408FCE1DEAC5248AD9B046656478D734FE494B787F8A9F2
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...r.;`.....................$...................@..........................`....................................... ..q............P..................X....@..................................................................$....................text............................... ..`.itext.............................. ..`.data...<...........................@....bss.....5...............................idata..............................@....didata.$...........................@....edata..q.... ......................@..@.rdata..E....0......................@..@.reloc.......@......................@..B.rsrc........P......................@..@.............`......................@..@........................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):9223040
                                                                                                                                                                                                                      Entropy (8bit):6.355581719432468
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:196608:vL7NqnDg0293wsNAXayRDfxihAYOjPTJ3kx+q8ZJPyv1wbl3bc2EeJUO9WLcb0K:9lOJDm1Wrc2EeJUO9WLcbN
                                                                                                                                                                                                                      MD5:8A9BDA9B9A84BD1551A09B65DFBC0C74
                                                                                                                                                                                                                      SHA1:14FB48758D664917D789C21DCCB26D9D987F099F
                                                                                                                                                                                                                      SHA-256:1D0F8C96F77C339A5F01822B9375131B0B0A49D6CAC45589CDB4B749DAA79773
                                                                                                                                                                                                                      SHA-512:BBFB78B3652532E97F66E2DE7BFBEEFCB59254D9E626C62FF1B2E735AF2549B5483AB07739F6C9A686304C5042CDA79312028293959500BAC2A1EFE91B7732DB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..f..i.t......!...*.~G...e..0............G...(m..........................j..........@... ......................Pc......`c.0"....c.............x..../....c............................`.S.....................|ec..............................text....}G......~G.................`..`.data...,o....G..p....G.............@....rdata........H..0....G.............@..@/4...........0U......$U.............@..@.bss......... c..........................edata.......Pc.......c.............@..@.idata..0"...`c..$....c.............@....CRT....0.....c......8c.............@....tls..........c......:c.............@....rsrc.........c......<c.............@..@.reloc.......c......@c.............@..B/14..........`f.......e.............@..B/29..........pf.......e.............@..B/41......b...0h..d....g.............@..B/55...........h.......g.............@..B/67..........`i.......h.

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):7137640
                                                                                                                                                                                                                      Entropy (8bit):6.481515443983134
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:98304:ZRE7yGktThDyt6666666666666666666666666666666x666666666666666fww8:XGktThD0TGh/fTCRwlRvZG3XYBVX1
                                                                                                                                                                                                                      MD5:0DF9039CE4896584A206A40F48A07C6A
                                                                                                                                                                                                                      SHA1:34F0F9AEFD5E37B6B02D062B8AB967DC0F3D2F21
                                                                                                                                                                                                                      SHA-256:1DDE27F0410E59561EAB79A6C8EF6DF2ACEC52E92C9AC646135CD91940F2BE05
                                                                                                                                                                                                                      SHA-512:FCF74DD6BF3491D2E56A963ABF028EDA8DF17C11ABB793E6E3DAAD3C1E6C1AEE2F731B23CE243872B588CDF7B1B6382804F6B5204DFFC04F266BE3A329945FA4
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..f..T.i......!...*.(E..*Q..:...........@E...0g..........................U.....7.m...@... ......................`P......pP.......P.............`.l../....P..#...........................FH......................rP.L............................text...`.E.......E.................`..`.rodata.@....0E......$E............. ..`.data...,(...@E..*....E.............@....rdata.......pE......XE.............@..@/4......L.....I.......H.............@..@.bss....X9... P..........................edata.......`P.......O.............@..@.idata.......pP.......O.............@....CRT....0.....P.......P.............@....tls..........P.......P.............@....rsrc.........P.......P.............@..@.reloc...#....P..$....P.............@..B/14...........Q......:Q.............@..B/29...........Q......BQ.............@..B/41......Y....S..Z....R.............@..B/55...........S......(S.

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):11132168
                                                                                                                                                                                                                      Entropy (8bit):6.740943395722077
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:196608:kngOxqtJKXthIbi0EFrJIj35fGsX1bdXtK:kgOxqtQOUJ85jFhXQ
                                                                                                                                                                                                                      MD5:CB9BE257064162076EBD4869CD97E166
                                                                                                                                                                                                                      SHA1:49A8CACD48036784A413D63A242ED178BD75CBE9
                                                                                                                                                                                                                      SHA-256:8A3822D52B4D460430B9E8E0FA6E6BD2C458598E4DBC2529DF7F2BDF902D2DD2
                                                                                                                                                                                                                      SHA-512:013B7E7CCC77531C0D6FA81083B2F16CD0A2B2124105B2F855A478F1F114D3DBA75259B82596645E6BABD91E129E7F7F60AA85ECA32BD95F454B1A8A63B52EFB
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security
                                                                                                                                                                                                                      • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                                                                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................H...b#.....DW.......`....@.................................!....@......@..............................RX...@..|................/.......v......................................................t........w...................text............................. ..`.itext...X.......Z................. ..`.data...\....`.......L..............@....bss....................................idata..RX.......Z.................@....didata..w.......x...4..............@....edata..............................@..@.tls....h................................rdata..]...........................@..@.reloc...v.......v..................@..B.rsrc...|....@.......&..............@..@....................................@..@................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):21764872
                                                                                                                                                                                                                      Entropy (8bit):6.6100525724973656
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:393216:KEpVg+4nw7m2R8VLgZDMwyA7FWBdlY74ZV:tZR8VLg8AGYs
                                                                                                                                                                                                                      MD5:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                                                                                                                      SHA1:710C0369915390737ED9BC19252F517D2D2939ED
                                                                                                                                                                                                                      SHA-256:DE0FA71C1CFF03D657CB65A86072E964060C628AA4EB709CBE914DD772EF298D
                                                                                                                                                                                                                      SHA-512:219D6307697CB12FA56020E6B2DC8FF5D13904FD318E2ED3646B294FAA1A613D838D0350E59B911023EA6F6D62CE53E402F975CAD4311D9A7DA58BD675AE2DB6
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security
                                                                                                                                                                                                                      • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................4....R.....<N.......P....@..........................`X.......L...@......@...............................b....!.8X7...........K../...0..`............................ ...............................p..:....................text............................... ..`.itext..`........................... ..`.data........P.......8..............@....bss.....................................idata...b.......d..................@....didata.:....p.......8..............@....edata..............................@..@.tls....h................................rdata..].... ......................@..@.reloc..`....0......................@..B.rsrc...8X7...!..Z7.................@..@..............G.......:.............@..@................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):388696
                                                                                                                                                                                                                      Entropy (8bit):6.639766301981685
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:YIIDyjBnydesbWoiwS7dVIclCzoqHO/gCaEkkH8TuX6RTrWD4siZMZ+LG4IPWwc8:YI8tiDOzyH9H8Tu6h04fZMZoMPuvfj0h
                                                                                                                                                                                                                      MD5:E247666CDEA63DA5A95AEBC135908207
                                                                                                                                                                                                                      SHA1:4642F6C3973C41B7D1C9A73111A26C2D7AC9C392
                                                                                                                                                                                                                      SHA-256:B419ED0374E3789B4F83D4AF601F796D958E366562A0AAEA5D2F81E82ABDCF33
                                                                                                                                                                                                                      SHA-512:06DA11E694D5229783CFB058DCD04D855A1D0758BEEAA97BCD886702A1502D0BF542E7890AA8F2E401BE36CCF70376B5C091A5D328BB1ABE738BC0798AB98A54
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................g......"............#.O...T8.....T8..................T8.....'....................Rich............................PE..L...v..T...........!..... ...........2.......0......................................A...............................@q.......q..........................X........(...1..8............................U..@............0...............................text............ .................. ..`.rdata...J...0...L...$..............@..@.data...H>...........p..............@....rodata.............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1640536
                                                                                                                                                                                                                      Entropy (8bit):6.686577023894573
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:OSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwww3:OSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSZ
                                                                                                                                                                                                                      MD5:D5C2A6AC30E76B7C9B55ADF1FE5C1E4A
                                                                                                                                                                                                                      SHA1:3D841EB48D1A32B511611D4B9E6EED71E2C373EE
                                                                                                                                                                                                                      SHA-256:11C7004851E6E6624158990DC8ABE3AA517BCAB708364D469589AD0CA3DBA428
                                                                                                                                                                                                                      SHA-512:3C1C7FB535E779AC6C0D5AEF2D4E9239F1C27136468738A0BD8587F91B99365A38808BE31380BE98FD74063D266654A6AC2C2E88861A3FE314A95F1296699E1D
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:J<A[$oA[$oA[$o...o@[$o...o.[$o...op[$o...o.[$o...oC[$o...oL[$oA[%o.[$oA[$op[$o...o@[$oL..o.[$oL..o@[$oL..o@[$oL..o@[$oRichA[$o................PE..L...}..T...........!.........>.......*..............................................5.......................................(............7..............X..............................................@............................................text............................... ..`.rdata..............................@..@.data...$r......."..................@....rodata.............................@..@.rsrc....7.......8...0..............@..@.reloc..............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):265816
                                                                                                                                                                                                                      Entropy (8bit):6.521007214956242
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:MW218gr7s2yIHB0pTPdTX9zUbEbStE97zjAs1RtTcJTfIv0se7POWu/HgsGU1VTl:MWSfr7sXSmPDbKPJ6/AsNk+1x
                                                                                                                                                                                                                      MD5:49C51ACE274D7DB13CAA533880869A4A
                                                                                                                                                                                                                      SHA1:B539ED2F1A15E2D4E5C933611D736E0C317B8313
                                                                                                                                                                                                                      SHA-256:1D6407D7C7FFD2642EA7F97C86100514E8E44F58FF522475CB42BCC43A1B172B
                                                                                                                                                                                                                      SHA-512:13440009E2F63078DCE466BF2FE54C60FEB6CEDEED6E9E6FC592189C50B0780543C936786B7051311089F39E9E3CCB67F705C54781C4CAE6D3A8007998BEFBF6
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@~..!..!..!...p...!...p..!...p..+!..M...!..M...!..!...!..M...!..s..!..s..!..s..!..s..!..Rich.!..................PE..L...{..T...........!.........N.......k.......................................0..............................................4...x.......................X......../..................................Ha..@...............l............................text............................... ..`.rdata..v...........................@..@.data....B......."..................@....rsrc...............................@..@.reloc.../.......0..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):373336
                                                                                                                                                                                                                      Entropy (8bit):6.7704943019914845
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:faoH9sDRlDLD0GDkEp00tc6TKUOmrRK1jRsAOO04sAO88RtOd:noPH0GgEp0gVd1ValsQXsHOd
                                                                                                                                                                                                                      MD5:EDA07083AF5B6608CB5B7C305D787842
                                                                                                                                                                                                                      SHA1:D1703C23522D285A3CCDAF7BA2EB837D40608867
                                                                                                                                                                                                                      SHA-256:C4683EB09D65D692CA347C0C21F72B086BD2FAF733B13234F3A6B28444457D7D
                                                                                                                                                                                                                      SHA-512:BE5879621D544C4E2C4B0A5DB3D93720623E89E841B2982C7F6C99BA58D30167E0DD591A12048ED045F19EC45877AA2EF631B301B903517EFFA17579C4B7C401
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Mm..,...,...,...}...,...}...,...}...,.......,.......,...,..,.......,...~...,...~...,...~...,...~...,..Rich.,..........................PE..L...t..T...........!................b.....................................................@..........................M......@N..d.......0...............X.......d&..................................p/..@...............T............................text...=........................... ..`.rdata...E.......F..................@..@.data...|<...`.......H..............@..._RDATA...............d..............@..@.rsrc...0............j..............@..@.reloc..d&.......(...n..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):880216
                                                                                                                                                                                                                      Entropy (8bit):5.239371133407635
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:vTAPYZEyRr+NDnaLyx2lz8MSjtX08pYRc29qcQmsGahsQZsbRN9S:YYF+Eyx2lzujtEIYRc1cQmsGa7ON9S
                                                                                                                                                                                                                      MD5:642DC7E57F0C962B9DB4C8FB346BC5A7
                                                                                                                                                                                                                      SHA1:ACEE24383B846F7D12521228D69135E5704546F6
                                                                                                                                                                                                                      SHA-256:63B4B5DB4A96A8ABEC82B64034F482B433CD4168C960307AC5CC66D2FBF67EDE
                                                                                                                                                                                                                      SHA-512:FB163A0CE4E3AD0B0A337F5617A7BF59070DF05CC433B6463384E8687AF3EDC197E447609A0D86FE25BA3EE2717FD470F2620A8FC3A2998A7C3B3A40530D0BAE
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A....u...u...u..C$G.3u..C$y.Iu..C$x..u...V..u...S..u...u..ju...H..u...'}.&u...'D..u...'C..u...'F..u..Rich.u..........................PE..L...s..T...........!.........R..............0......................................:W....@.........................`...........d....P..p............R..X....`...D......................................@............0..T............................text...}........................... ..`.rdata.......0......."..............@..@.data...|<..........................@..._RDATA.......@......................@..@.rsrc...p....P......................@..@.reloc...D...`...F..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1310720
                                                                                                                                                                                                                      Entropy (8bit):0.8307297220466426
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugb:gJjJGtpTq2yv1AuNZRY3diu8iBVqF9
                                                                                                                                                                                                                      MD5:01924786672282EC8E0CB99C2BBF7E8D
                                                                                                                                                                                                                      SHA1:C84F144739E6E567D8B3E20B32C379CA37943EE0
                                                                                                                                                                                                                      SHA-256:30ACAF870AF99529371921FB1E68E5A481EAC74F9AD6F4D399F07C2710A71FAA
                                                                                                                                                                                                                      SHA-512:8FC9B1A933E43617E619C9E21810701166752AFF3C5D380D747DE687004D9E3F3FB6B2213BF33C297BA8BF8B0FC7FCED95597AA6948EABC372FFA0D540C3E590
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x16300ed9, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1310720
                                                                                                                                                                                                                      Entropy (8bit):0.6585576682536013
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:RSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Raza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                                                                                                                                      MD5:56CCE8DE8D1513634C88E9C4E9FBF0E9
                                                                                                                                                                                                                      SHA1:ADAA1C2E1FA92AB18164409A6AA22F9A18B40D93
                                                                                                                                                                                                                      SHA-256:3A7D02962D437E321B5CCF3A49EDE71167A8DC043490B00A46D114B4F9831DF2
                                                                                                                                                                                                                      SHA-512:E5F29827D67A567DC2A02D88B791C3470AE4405F66AAA098F81A8FBF8A68E6108D9BF68EC7C2ED87FE263C02E8DF081964C8F0D0C7B6878F3CFA76E13B3882A4
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:.0..... ...............X\...;...{......................0.z..........{.../...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...................................>3K./...|7.................v..8./...|7..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                                      Entropy (8bit):0.08069385573086038
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:LdFGlKYeY4JkGuAJkhvekl1t5eZOallrekGltll/SPj:pFyKzFqrxlQ3Je3l
                                                                                                                                                                                                                      MD5:02F9A650023907AED32D71467A0F8440
                                                                                                                                                                                                                      SHA1:A9C16101A7B0B408B77D84EC1F2334B63FD8EFE3
                                                                                                                                                                                                                      SHA-256:C8A8E1ED1D282DC59927B2DA4D9BB98B080808734FC91DE8DB4FF6D0D3B0863B
                                                                                                                                                                                                                      SHA-512:3854CF7878A14C7EBA879869C55E27869C4B97A0C04E23D1FFEE09F6D85934123281D0A591DD37A7B6C15B932D8A3D5EAF236B0ECC421111D12EA00862FB60A0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:.#.......................................;...{.../...|7......{...............{.......{...XL......{..................v..8./...|7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Remote Manipulator System\Logs\rms_log_2024-12.html

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:HTML document, ASCII text, with CR line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):6338
                                                                                                                                                                                                                      Entropy (8bit):5.408268556578575
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:lr0xccoJxML6RLidRLi1ongO6gozqf7IdfcMug:lzcWS6pidpiogOSjd
                                                                                                                                                                                                                      MD5:6549D9644FCAF9B7D28F7F6D96672D97
                                                                                                                                                                                                                      SHA1:759DD771893C4515AB9A792BB79CB48BD7E97FCA
                                                                                                                                                                                                                      SHA-256:F42045846A7C5D04B4536EACEF0086D2245E914F7529C6A2C221A70FCDCDAEC0
                                                                                                                                                                                                                      SHA-512:A9860A46E04AFAEBA7BC45678F68D97DCCD00AE67CAB90FA047C84E04F878D8DB604FCBC1D525FD1F68CE8DFD595CBB18C0760B6FBB2CB2FA00895DCAA09D211
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<head>.<meta http-equiv="content-type" content="text/html; charset=utf-8" />.<meta name="copyright" content="TektonIT" />.<meta name="description" content="Remote Manipulator System - Server software, event log. Tektonit.com" />.<title>RMS &ndash; host log</title>.<style type="text/css">.body {.font-family: Courier New, monospace;.font-size: 100%;.background-color: #FFFFFF;.} .h1 {.font-size: 130%;.margin: 0px 0px 0px 0px;.} .textarea {.display: none;.margin-top: 5px;.width: 100%;.} ..main_table td {.border: 1px dashed #DADADA;.} ..e_l_0 {.background-color: #4c4cff;.border: 1px solid red;.} ..e_l_1 {.background-color: #fff04c;.border: none;.} ..e_l_2 {.background-color: #ffa94c;.border: none;.} ..e_l_3 {.background-color: #fc2727;.border: none;.} .#log_header td {.font-weight: bold;.} .#subheader {.font-size: 70%;.color: #DADADA;.margin-bottom: 10px;.} .</style>.<script language="javascript">.function show_textarea(elem) {.var parent_node = elem.parentNode;.var nodes = parent_node.chil

                                                                                                                                                                                                                      C:\ProgramData\Remote Manipulator System\install.log

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):333
                                                                                                                                                                                                                      Entropy (8bit):4.983690686317267
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:oe4LmKRL/9e4Ldd/ao9e4LhHujHO7eVVe4LwmnXjKV9e4LOLGeXkRLNWy:oNfjNDSo9N9Be/NRTiN6r06y
                                                                                                                                                                                                                      MD5:A5B88A312EDD4DDEFBD09D952268EC15
                                                                                                                                                                                                                      SHA1:70CF1D773C14D140CE03ABF8B72528C8FD731AE5
                                                                                                                                                                                                                      SHA-256:4D637C43C0ADCD25DCA4BD35299934717705F81632B6712F3CFB305BEB321183
                                                                                                                                                                                                                      SHA-512:CCDFBC8E67945AD644A50F31A08276FDC72E7BA75A5240810721FE98FD6991CF45FEABA703E546682DC037BCCD33099C6AB6BE05DFB5998BC5021230F82B2DFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:03-12-2024_02:47:26#T:SilentInstall: installation 70270..03-12-2024_02:47:26#T:SilentInstall: NTSetPrivilege:SE_DEBUG_NAME:false. OK..03-12-2024_02:47:26#T:SilentInstall: OpenService: service not found_1. OK..03-12-2024_02:47:26#T:SilentInstall: CreateService. OK..03-12-2024_02:47:26#T:SilentInstall: finished (installation) 70270..

                                                                                                                                                                                                                      C:\ProgramData\Remote Manipulator System\msi\70270_{77817ADF-D5EC-49C6-B987-6169BBD5345B}\Word.msi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):26864640
                                                                                                                                                                                                                      Entropy (8bit):7.924911310016854
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                                                                                                                                      MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                                                                                                                                      SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                                                                                                                                      SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                                                                                                                                      SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4770
                                                                                                                                                                                                                      Entropy (8bit):7.946747821604857
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                                                                                                                                                      MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                                                                                                                                                      SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                                                                                                                                                      SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                                                                                                                                                      SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):338
                                                                                                                                                                                                                      Entropy (8bit):3.1571060838923253
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:kkFkllcVIXfllXlE/0htlX16pFRltB+SliQlP8F+RlTRe86A+iRlERMta9b3+ALU:kK3JN+SkQlPlEGYRMY9z+s3Ql2DUevat
                                                                                                                                                                                                                      MD5:C5057D970B09AFA329CD5AD953904203
                                                                                                                                                                                                                      SHA1:C518FD66FEBC0114C812AD7C4B4BB0BE1BF4FDF6
                                                                                                                                                                                                                      SHA-256:5AD9851D9D0BF221A0E21CACFD92DFE8FDC0E3C85B2C3724BE8DC6643D98AB9D
                                                                                                                                                                                                                      SHA-512:5CE31079A9752B39DB97F12605CA2EBE0D505154FB8D038E679AEDD7750598E5A4CF56207F0020FA8805AB9007E01A0D62D0CCBB3B1C0BDBD810CF0D040F5384
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:p...... ........00y.WE..(....................................................... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2278
                                                                                                                                                                                                                      Entropy (8bit):3.8429436188665402
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:uiTrlKxsxxVxl9Il8u4C9gmy36dtDeUxACfqjOyd1rc:vxYuC99y3+eUxAfjm
                                                                                                                                                                                                                      MD5:AFA452E357DE719F148264F8CD958EFF
                                                                                                                                                                                                                      SHA1:07D6687C1CF2C14216FA03F9CB4F38B54DBC9C86
                                                                                                                                                                                                                      SHA-256:8D130E04282C38E2A9EABBADE6BA458BFD48739E5F46A4EB1F29AA6CC4F9B77B
                                                                                                                                                                                                                      SHA-512:68B621C781CE74FC37C495AD304CB5600572B274A78AEB70C8FA08B0258D277F329F0A07206EB10819046F7E95B6350EDED2D08C0B800AFA6B4BBC66E812392B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.N.U.U.8.1.9.F.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.C.F.w.3.f.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2684
                                                                                                                                                                                                                      Entropy (8bit):3.8936831492217556
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:uiTrlKxJxdxl9Il8u4Cu/cLC77jjMWqdOFrQ6cZyCHDPd/vc:YYuCu/cS7vMWGOFrQ6cZy8K
                                                                                                                                                                                                                      MD5:F38936591BFF9097E7E56AD1E5A0A58F
                                                                                                                                                                                                                      SHA1:6AB17CC9AD997C42A033EFF8E994B4B05B06BA34
                                                                                                                                                                                                                      SHA-256:377A77A0F9C75821F239E27FB563AFAA89815B9958B0C1DB2A4E7515CF3C5D3B
                                                                                                                                                                                                                      SHA-512:AF91F377117F183B2A16B7D4F9CFC028A6D9C71A36795E142F5E38C36C83C6351D62204C469631F870BA238F87D571CC039F1D5D40CA297D991A1CA1DFF38A85
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".D.f.Q.8.C.i.l.k.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.C.F.w.3.f.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4542
                                                                                                                                                                                                                      Entropy (8bit):4.003038763501965
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:uYuC0K0ipQ3uGqWBDDPs25Q2bdSbi30fmgT4Sc2uljwD:uTVYG9Bn/5Qjbi3DSlulcD
                                                                                                                                                                                                                      MD5:64EC4B9F5F0652D82290A3DB820D6070
                                                                                                                                                                                                                      SHA1:9871BE45A7DF570B3FF77118FE74F691A4D91C04
                                                                                                                                                                                                                      SHA-256:F6B223BEA21E8C6CABA181B660E5F8BBF5F7117447455BCB52004EDDCF212FC6
                                                                                                                                                                                                                      SHA-512:FB2D12A7E01C3BD8749846C7B7D86D16A7197C83FD87B21F2F4596D472CD06D417B8B743E407530D310BD6706329D560D0034025B0AE25190B6551B5C64CC13E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".9.o.O.j.2.F.d.F.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.C.F.w.3.f.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4ED312F.jpeg

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 1428x2020, components 3
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):217242
                                                                                                                                                                                                                      Entropy (8bit):7.641248072397463
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:0yKKhARKP6+FeRJhaigk8Ukyhxv8vyNrwyJN2EiXo4EaCNSltkprZvyYqZtGq:0yKKhEKBSf/vv8vyNjz9oltkyY2
                                                                                                                                                                                                                      MD5:6CFFBB054A1BD06B3B1018684467A551
                                                                                                                                                                                                                      SHA1:347CECCBDFCE4CB2AA96F90735C2F5975E9ABC3F
                                                                                                                                                                                                                      SHA-256:E0967AD8F4F2DF25AD1343AABF1C144E48D83BC3E61E2122F5BBF9A83EA63709
                                                                                                                                                                                                                      SHA-512:24726671FEFA5228737C2E3E2CC159ECA90CD770022051A07C4C059B5378DA251E70568C956CB00631E12424FF5218E7A9A9BE30B0F4D47C277FC470218F88F0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:(......(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{7B889923-D78F-40C3-A108-8A6AE3A8A421}.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1536
                                                                                                                                                                                                                      Entropy (8bit):0.09783851312991518
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:llmn/lLfn:YZn
                                                                                                                                                                                                                      MD5:881EE5BD27A267B0F01FD15E90AC4309
                                                                                                                                                                                                                      SHA1:39D217D0F4BDE69A9A163E9F6C5728FDE81907F7
                                                                                                                                                                                                                      SHA-256:90305EA213DDD5187AC57A744160391E8F9CD88FE8C355170291294739AAE912
                                                                                                                                                                                                                      SHA-512:870D03A7DE2D66778F5199708387802196419BCA134EF50F6279715EC0EEFCB01AAE209ABCB790397A855301409EC6403A3B002214CB5B07153AD4CBD7B556B7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733212029237202200_313E7E02-CB81-4FBD-96DB-A5A7AF808A97.log

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20971520
                                                                                                                                                                                                                      Entropy (8bit):0.014298055565663022
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:ovTb6iFXm1Sc73cjqEnzTBOOLAphruGPDW+oB:ovTb6iFWsc73cjqEnzTB/LAn5PDW+oB
                                                                                                                                                                                                                      MD5:0E826CB7F72CECC82F0E90129533D8EA
                                                                                                                                                                                                                      SHA1:1074D1A9BCEC783ED5548936C35E952359ADD0CF
                                                                                                                                                                                                                      SHA-256:63601E008BCA60A48794A0F5C57DB251D9CBB76E9A50004F67A9F12596E96209
                                                                                                                                                                                                                      SHA-512:F09CEC332000E9F9C80C323BD098AD3C0115A5827ACAF011B53D54F755C5986DC2181BB4F18E79BDCC583E1155B9EAE819890117DEE05E0DE6ED39BFBAEEBF7B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/03/2024 07:47:09.481.WINWORD (0x1694).0x12BC.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2024-12-03T07:47:09.481Z","Contract":"Office.System.Activity","Activity.CV":"An4+MYHLvU+W26Wnr4CKlw.7.1","Activity.Duration":249,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...12/03/2024 07:47:09.497.WINWORD (0x1694).0x12BC.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-12-03T07:47:09.497Z","Contract":"Office.System.Activity","Activity.CV":"An4+MYHLvU+W26Wnr4CKlw.7","Activity.Duration":2475,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureD

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733212029237750300_313E7E02-CB81-4FBD-96DB-A5A7AF808A97.log

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20971520
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                                                                                      SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                                                                                      SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                                                                                      SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B4E.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):254
                                                                                                                                                                                                                      Entropy (8bit):3.4721586910685547
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:4DD225E2A305B50AF39084CE568B8110
                                                                                                                                                                                                                      SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                                                                                                                                                                                                      SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                                                                                                                                                                                                      SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B4E.tmp\chevronaccent.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4243
                                                                                                                                                                                                                      Entropy (8bit):7.824383764848892
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                                                                                                                                      MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                                                                                                                                      SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                                                                                                                                      SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                                                                                                                                      SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B4F.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):258
                                                                                                                                                                                                                      Entropy (8bit):3.4692172273306268
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:C1B36A0547FB75445957A619201143AC
                                                                                                                                                                                                                      SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                                                                                                                                                                                                      SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                                                                                                                                                                                                      SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B4F.tmp\pictureorgchart.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):7370
                                                                                                                                                                                                                      Entropy (8bit):7.9204386289679745
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                                                                                                                                      MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                                                                                                                                      SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                                                                                                                                      SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                                                                                                                                      SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B75.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):332
                                                                                                                                                                                                                      Entropy (8bit):3.547857457374301
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:4EC6724CBBA516CF202A6BD17226D02C
                                                                                                                                                                                                                      SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                                                                                                                                                                                                      SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                                                                                                                                                                                                      SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B75.tmp\harvardanglia2008officeonline.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):284415
                                                                                                                                                                                                                      Entropy (8bit):5.00549404077789
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                                                                                                                                      MD5:33A829B4893044E1851725F4DAF20271
                                                                                                                                                                                                                      SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                                                                                                                                      SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                                                                                                                                      SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B76.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):260
                                                                                                                                                                                                                      Entropy (8bit):3.494357416502254
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                                                                                                                                                                                                      SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                                                                                                                                                                                                      SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                                                                                                                                                                                                      SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B76.tmp\ThemePictureGrid.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):6193
                                                                                                                                                                                                                      Entropy (8bit):7.855499268199703
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                                                                                                                                      MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                                                                                                                                      SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                                                                                                                                      SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                                                                                                                                      SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B86.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):314
                                                                                                                                                                                                                      Entropy (8bit):3.5230842510951934
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                                                                                                                                                                                                      SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                                                                                                                                                                                                      SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                                                                                                                                                                                                      SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B86.tmp\ieee2006officeonline.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):294178
                                                                                                                                                                                                                      Entropy (8bit):4.977758311135714
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                                                                                                                                      MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                                                                                                                                      SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                                                                                                                                      SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                                                                                                                                      SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B87.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):332
                                                                                                                                                                                                                      Entropy (8bit):3.4871192480632223
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                                                                                                                                                                                                      SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                                                                                                                                                                                                      SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                                                                                                                                                                                                      SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7B87.tmp\mlaseventheditionofficeonline.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):254875
                                                                                                                                                                                                                      Entropy (8bit):5.003842588822783
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                                                                                                                                      MD5:377B3E355414466F3E3861BCE1844976
                                                                                                                                                                                                                      SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                                                                                                                                      SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                                                                                                                                      SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BD3.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):260
                                                                                                                                                                                                                      Entropy (8bit):3.4895685222798054
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                                                                                                                                                                                                      SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                                                                                                                                                                                                      SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                                                                                                                                                                                                      SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BD3.tmp\VaryingWidthList.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3075
                                                                                                                                                                                                                      Entropy (8bit):7.716021191059687
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                                                                                                                                      MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                                                                                                                                      SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                                                                                                                                      SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                                                                                                                                      SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BD4.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):254
                                                                                                                                                                                                                      Entropy (8bit):3.4845992218379616
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                                                                                                                                                                                                      SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                                                                                                                                                                                                      SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                                                                                                                                                                                                      SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BD4.tmp\HexagonRadial.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):6024
                                                                                                                                                                                                                      Entropy (8bit):7.886254023824049
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                                                                                                                                      MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                                                                                                                                      SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                                                                                                                                      SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                                                                                                                                      SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BE4.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):278
                                                                                                                                                                                                                      Entropy (8bit):3.5280239200222887
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:877A8A960B2140E3A0A2752550959DB9
                                                                                                                                                                                                                      SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                                                                                                                                                                                                      SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                                                                                                                                                                                                      SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BE4.tmp\gb.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):268317
                                                                                                                                                                                                                      Entropy (8bit):5.05419861997223
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                                                                                                                                      MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                                                                                                                                      SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                                                                                                                                      SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                                                                                                                                      SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BF6.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):238
                                                                                                                                                                                                                      Entropy (8bit):3.472155835869843
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                                                                                                                                                                                                      SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                                                                                                                                                                                                      SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                                                                                                                                                                                                      SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BF6.tmp\rings.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):5151
                                                                                                                                                                                                                      Entropy (8bit):7.859615916913808
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                                                                                                                                      MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                                                                                                                                      SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                                                                                                                                      SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                                                                                                                                      SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BF7.tmp\BracketList.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4026
                                                                                                                                                                                                                      Entropy (8bit):7.809492693601857
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                                                                                                                                      MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                                                                                                                                      SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                                                                                                                                      SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                                                                                                                                      SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7BF7.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):250
                                                                                                                                                                                                                      Entropy (8bit):3.4916022431157345
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:1A314B08BB9194A41E3794EF54017811
                                                                                                                                                                                                                      SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                                                                                                                                                                                                      SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                                                                                                                                                                                                      SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C08.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):286
                                                                                                                                                                                                                      Entropy (8bit):3.538396048757031
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:149948E41627BE5DC454558E12AF2DA4
                                                                                                                                                                                                                      SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                                                                                                                                                                                                      SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                                                                                                                                                                                                      SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C08.tmp\sist02.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):250983
                                                                                                                                                                                                                      Entropy (8bit):5.057714239438731
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                                                                                                                                      MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                                                                                                                                      SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                                                                                                                                      SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                                                                                                                                      SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C09.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):302
                                                                                                                                                                                                                      Entropy (8bit):3.537169234443227
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:9C00979164E78E3B890E56BE2DF00666
                                                                                                                                                                                                                      SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                                                                                                                                                                                                      SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                                                                                                                                                                                                      SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C09.tmp\iso690nmerical.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):217137
                                                                                                                                                                                                                      Entropy (8bit):5.068335381017074
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                                                                                                                      MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                                                                                                                                      SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                                                                                                                                      SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                                                                                                                                      SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C0A.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):252
                                                                                                                                                                                                                      Entropy (8bit):3.48087342759872
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                                                                                                                                                                                                      SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                                                                                                                                                                                                      SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                                                                                                                                                                                                      SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C0A.tmp\PictureFrame.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4326
                                                                                                                                                                                                                      Entropy (8bit):7.821066198539098
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                                                                                                                                      MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                                                                                                                                      SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                                                                                                                                      SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                                                                                                                                      SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C1A.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):264
                                                                                                                                                                                                                      Entropy (8bit):3.4866056878458096
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:6C489D45F3B56845E68BE07EA804C698
                                                                                                                                                                                                                      SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                                                                                                                                                                                                      SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                                                                                                                                                                                                      SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C1A.tmp\ThemePictureAccent.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):6448
                                                                                                                                                                                                                      Entropy (8bit):7.897260397307811
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                                                                                                                                      MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                                                                                                                                      SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                                                                                                                                      SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                                                                                                                                      SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C1B.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):288
                                                                                                                                                                                                                      Entropy (8bit):3.523917709458511
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                                                                                                                                                                                                      SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                                                                                                                                                                                                      SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                                                                                                                                                                                                      SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C1B.tmp\chicago.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):296658
                                                                                                                                                                                                                      Entropy (8bit):5.000002997029767
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                                                                                                                                      MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                                                                                                                                      SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                                                                                                                                      SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                                                                                                                                      SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C35.tmp\CircleProcess.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):16806
                                                                                                                                                                                                                      Entropy (8bit):7.9519793977093505
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                                                                                                                                      MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                                                                                                                                      SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                                                                                                                                      SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                                                                                                                                      SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C35.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):254
                                                                                                                                                                                                                      Entropy (8bit):3.4720677950594836
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                                                                                                                                                                                                      SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                                                                                                                                                                                                      SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                                                                                                                                                                                                      SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C94.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):252
                                                                                                                                                                                                                      Entropy (8bit):3.4680595384446202
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:D79B5DE6D93AC06005761D88783B3EE6
                                                                                                                                                                                                                      SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                                                                                                                                                                                                      SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                                                                                                                                                                                                      SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C94.tmp\architecture.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):5783
                                                                                                                                                                                                                      Entropy (8bit):7.88616857639663
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                                                                                                                                      MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                                                                                                                                      SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                                                                                                                                      SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                                                                                                                                      SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C95.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):286
                                                                                                                                                                                                                      Entropy (8bit):3.4670546921349774
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:3D52060B74D7D448DC733FFE5B92CB52
                                                                                                                                                                                                                      SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                                                                                                                                                                                                      SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                                                                                                                                                                                                      SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C95.tmp\ThemePictureAlternatingAccent.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):5630
                                                                                                                                                                                                                      Entropy (8bit):7.87271654296772
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                                                                                                                                      MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                                                                                                                                      SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                                                                                                                                      SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                                                                                                                                      SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C96.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):242
                                                                                                                                                                                                                      Entropy (8bit):3.4938093034530917
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                                                                                                                                                                                                      SHA1:BA15D036D522978409846EA682A1D7778381266F
                                                                                                                                                                                                                      SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                                                                                                                                                                                                      SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C96.tmp\TabList.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4888
                                                                                                                                                                                                                      Entropy (8bit):7.8636569313247335
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                                                                                                                                      MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                                                                                                                                      SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                                                                                                                                      SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                                                                                                                                      SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C97.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):290
                                                                                                                                                                                                                      Entropy (8bit):3.5161159456784024
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                                                                                                                                                                                                      SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                                                                                                                                                                                                      SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                                                                                                                                                                                                      SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C97.tmp\turabian.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):344303
                                                                                                                                                                                                                      Entropy (8bit):5.023195898304535
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                                                                                                                                      MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                                                                                                                                      SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                                                                                                                                      SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                                                                                                                                      SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C98.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):256
                                                                                                                                                                                                                      Entropy (8bit):3.4842773155694724
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:923D406B2170497AD4832F0AD3403168
                                                                                                                                                                                                                      SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                                                                                                                                                                                                      SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                                                                                                                                                                                                      SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7C98.tmp\ConvergingText.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):11380
                                                                                                                                                                                                                      Entropy (8bit):7.891971054886943
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                                                                                                                                      MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                                                                                                                                      SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                                                                                                                                      SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                                                                                                                                      SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CA8.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):374
                                                                                                                                                                                                                      Entropy (8bit):3.5414485333689694
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                                                                                                                                                                                                      MD5:2F7A8FE4E5046175500AFFA228F99576
                                                                                                                                                                                                                      SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                                                                                                                                                                                                      SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                                                                                                                                                                                                      SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CA8.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):47296
                                                                                                                                                                                                                      Entropy (8bit):6.42327948041841
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                                                                                                                                      MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                                                                                                                                      SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                                                                                                                                      SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                                                                                                                                      SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CB9.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):256
                                                                                                                                                                                                                      Entropy (8bit):3.464918006641019
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                                                                                                                                                                                                      MD5:93149E194021B37162FD86684ED22401
                                                                                                                                                                                                                      SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                                                                                                                                                                                                      SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                                                                                                                                                                                                      SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CB9.tmp\Equations.dotx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):51826
                                                                                                                                                                                                                      Entropy (8bit):5.541375256745271
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                                                                                                                                      MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                                                                                                                                      SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                                                                                                                                      SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                                                                                                                                      SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CBA.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):262
                                                                                                                                                                                                                      Entropy (8bit):3.4901887319218092
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:52BD0762F3DC77334807DDFC60D5F304
                                                                                                                                                                                                                      SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                                                                                                                                                                                                      SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                                                                                                                                                                                                      SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CBA.tmp\RadialPictureList.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):5596
                                                                                                                                                                                                                      Entropy (8bit):7.875182123405584
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                                                                                                                                      MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                                                                                                                                      SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                                                                                                                                      SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                                                                                                                                      SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CBB.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):280
                                                                                                                                                                                                                      Entropy (8bit):3.484503080761839
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:1309D172F10DD53911779C89A06BBF65
                                                                                                                                                                                                                      SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                                                                                                                                                                                                      SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                                                                                                                                                                                                      SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CBB.tmp\InterconnectedBlockProcess.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):9191
                                                                                                                                                                                                                      Entropy (8bit):7.93263830735235
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                                                                                                                                      MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                                                                                                                                      SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                                                                                                                                      SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                                                                                                                                      SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CDC.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):292
                                                                                                                                                                                                                      Entropy (8bit):3.5026803317779778
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:A0D51783BFEE86F3AC46A810404B6796
                                                                                                                                                                                                                      SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                                                                                                                                                                                                      SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                                                                                                                                                                                                      SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CDC.tmp\gosttitle.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):251032
                                                                                                                                                                                                                      Entropy (8bit):5.102652100491927
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                                                                                                                                      MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                                                                                                                                      SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                                                                                                                                      SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                                                                                                                                      SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CDD.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):286
                                                                                                                                                                                                                      Entropy (8bit):3.5502940710609354
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                                                                                                                                                                                                      SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                                                                                                                                                                                                      SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                                                                                                                                                                                                      SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CDD.tmp\iso690.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):270198
                                                                                                                                                                                                                      Entropy (8bit):5.073814698282113
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                                                                                                                                      MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                                                                                                                                      SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                                                                                                                                      SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                                                                                                                                      SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CDE.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):290
                                                                                                                                                                                                                      Entropy (8bit):3.5081874837369886
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                                                                                                                                                                                                      SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                                                                                                                                                                                                      SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                                                                                                                                                                                                      SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7CDE.tmp\gostname.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):255948
                                                                                                                                                                                                                      Entropy (8bit):5.103631650117028
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                                                                                                                                      MD5:9888A214D362470A6189DEFF775BE139
                                                                                                                                                                                                                      SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                                                                                                                                      SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                                                                                                                                      SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7D0F.tmp\APASixthEditionOfficeOnline.xsl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):333258
                                                                                                                                                                                                                      Entropy (8bit):4.654450340871081
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                                                                                                                                      MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                                                                                                                                      SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                                                                                                                                      SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                                                                                                                                      SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7D0F.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):328
                                                                                                                                                                                                                      Entropy (8bit):3.541819892045459
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                                                                                      MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                                                                                                                                                                                                      SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                                                                                                                                                                                                      SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                                                                                                                                                                                                      SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7D3F.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):274
                                                                                                                                                                                                                      Entropy (8bit):3.438490642908344
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                                                                                                                                                                                                      MD5:0F98498818DC28E82597356E2650773C
                                                                                                                                                                                                                      SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                                                                                                                                                                                                      SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                                                                                                                                                                                                      SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7D3F.tmp\Element design set.dotx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):34415
                                                                                                                                                                                                                      Entropy (8bit):7.352974342178997
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                                                                                                                                      MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                                                                                                                                      SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                                                                                                                                      SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                                                                                                                                      SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7D5F.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):246
                                                                                                                                                                                                                      Entropy (8bit):3.5039994158393686
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                                                                                                                                                                                                      MD5:16711B951E1130126E240A6E4CC2E382
                                                                                                                                                                                                                      SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                                                                                                                                                                                                      SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                                                                                                                                                                                                      SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7D5F.tmp\TabbedArc.glox

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3683
                                                                                                                                                                                                                      Entropy (8bit):7.772039166640107
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                                                                                                                                      MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                                                                                                                                      SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                                                                                                                                      SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                                                                                                                                      SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7DCF.tmp\View.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):486596
                                                                                                                                                                                                                      Entropy (8bit):7.668294441507828
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                                                                                                                                                      MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                                                                                                                                                      SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                                                                                                                                                      SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                                                                                                                                                      SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7DCF.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):274
                                                                                                                                                                                                                      Entropy (8bit):3.535303979138867
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:35AFE8D8724F3E19EB08274906926A0B
                                                                                                                                                                                                                      SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                                                                                                                                                                                                                      SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                                                                                                                                                                                                                      SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7E6E.tmp\Banded.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):562113
                                                                                                                                                                                                                      Entropy (8bit):7.67409707491542
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                                                                                                                                      MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                                                                                                                                      SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                                                                                                                                      SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                                                                                                                                      SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7E6E.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):278
                                                                                                                                                                                                                      Entropy (8bit):3.535736910133401
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                                                                                                                                                                                                      SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                                                                                                                                                                                                      SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                                                                                                                                                                                                      SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7EAD.tmp\Metropolitan.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):777647
                                                                                                                                                                                                                      Entropy (8bit):7.689662652914981
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                                                                                                                                      MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                                                                                                                                      SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                                                                                                                                      SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                                                                                                                                      SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7EAD.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):290
                                                                                                                                                                                                                      Entropy (8bit):3.5091498509646044
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                                                                                                                                                                                                      SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                                                                                                                                                                                                      SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                                                                                                                                                                                                      SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7EE0.tmp\Frame.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):523048
                                                                                                                                                                                                                      Entropy (8bit):7.715248170753013
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                                                                                                                                      MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                                                                                                                                      SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                                                                                                                                      SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                                                                                                                                      SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7EE0.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):276
                                                                                                                                                                                                                      Entropy (8bit):3.5159096381406645
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:71CCB69AF8DD9821F463270FB8CBB285
                                                                                                                                                                                                                      SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                                                                                                                                                                                                      SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                                                                                                                                                                                                      SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7F00.tmp\Dividend.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):570901
                                                                                                                                                                                                                      Entropy (8bit):7.674434888248144
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                                                                                                                                                      MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                                                                                                                                                      SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                                                                                                                                                      SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                                                                                                                                                      SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7F00.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):282
                                                                                                                                                                                                                      Entropy (8bit):3.5459495297497368
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                                                                                                                                                                                                                      SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                                                                                                                                                                                                                      SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                                                                                                                                                                                                                      SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7F11.tmp\Parcel.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):608122
                                                                                                                                                                                                                      Entropy (8bit):7.729143855239127
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                                                                                                                                      MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                                                                                                                                      SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                                                                                                                                      SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                                                                                                                                      SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7F11.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):278
                                                                                                                                                                                                                      Entropy (8bit):3.516359852766808
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:960E28B1E0AB3522A8A8558C02694ECF
                                                                                                                                                                                                                      SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                                                                                                                                                                                                      SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                                                                                                                                                                                                      SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7F61.tmp\Basis.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):558035
                                                                                                                                                                                                                      Entropy (8bit):7.696653383430889
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                                                                                                                                      MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                                                                                                                                      SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                                                                                                                                      SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                                                                                                                                      SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD7F61.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):276
                                                                                                                                                                                                                      Entropy (8bit):3.5361139545278144
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:133D126F0DE2CC4B29ECE38194983265
                                                                                                                                                                                                                      SHA1:D8D701298D7949BE6235493925026ED405290D43
                                                                                                                                                                                                                      SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                                                                                                                                                                                                      SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD81E6.tmp\Wood_Type.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1649585
                                                                                                                                                                                                                      Entropy (8bit):7.875240099125746
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                                                                                                                                      MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                                                                                                                                      SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                                                                                                                                      SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                                                                                                                                      SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD81E6.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):284
                                                                                                                                                                                                                      Entropy (8bit):3.5552837910707304
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                                                                                                                                                                                                      SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                                                                                                                                                                                                      SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                                                                                                                                                                                                      SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD81F6.tmp\Quotable.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):966946
                                                                                                                                                                                                                      Entropy (8bit):7.8785200658952
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                                                                                                                                      MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                                                                                                                                      SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                                                                                                                                      SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                                                                                                                                      SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD81F6.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):282
                                                                                                                                                                                                                      Entropy (8bit):3.5323495192404475
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                                                                                                                                                                                                      SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                                                                                                                                                                                                      SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                                                                                                                                                                                                      SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8217.tmp\Berlin.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):976001
                                                                                                                                                                                                                      Entropy (8bit):7.791956689344336
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                                                                                                                                      MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                                                                                                                                      SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                                                                                                                                      SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                                                                                                                                      SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8217.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):278
                                                                                                                                                                                                                      Entropy (8bit):3.5270134268591966
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:327DA4A5C757C0F1449976BE82653129
                                                                                                                                                                                                                      SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                                                                                                                                                                                                      SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                                                                                                                                                                                                      SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8248.tmp\Parallax.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):924687
                                                                                                                                                                                                                      Entropy (8bit):7.824849396154325
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                                                                                                                                      MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                                                                                                                                      SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                                                                                                                                      SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                                                                                                                                      SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8248.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):282
                                                                                                                                                                                                                      Entropy (8bit):3.51145753448333
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                                                                                                                                                                                                      SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                                                                                                                                                                                                      SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                                                                                                                                                                                                      SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8305.tmp\Savon.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1204049
                                                                                                                                                                                                                      Entropy (8bit):7.92476783994848
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                                                                                                                                      MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                                                                                                                                      SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                                                                                                                                      SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                                                                                                                                      SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8305.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):276
                                                                                                                                                                                                                      Entropy (8bit):3.5364757859412563
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:CD465E8DA15E26569897213CA9F6BC9C
                                                                                                                                                                                                                      SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                                                                                                                                                                                                      SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                                                                                                                                                                                                      SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8460.tmp\Gallery.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1091485
                                                                                                                                                                                                                      Entropy (8bit):7.906659368807194
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                                                                                                                                      MD5:2192871A20313BEC581B277E405C6322
                                                                                                                                                                                                                      SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                                                                                                                                      SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                                                                                                                                      SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8460.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):280
                                                                                                                                                                                                                      Entropy (8bit):3.5301133500353727
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                                                                                                                                                                                                      SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                                                                                                                                                                                                      SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                                                                                                                                                                                                      SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8480.tmp\Circuit.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1463634
                                                                                                                                                                                                                      Entropy (8bit):7.898382456989258
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                                                                                                                                      MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                                                                                                                                      SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                                                                                                                                      SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                                                                                                                                      SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8480.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):280
                                                                                                                                                                                                                      Entropy (8bit):3.5286004619027067
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                                                                                                                                                                                                      SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                                                                                                                                                                                                      SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                                                                                                                                                                                                      SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD84EF.tmp\Droplet.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1750795
                                                                                                                                                                                                                      Entropy (8bit):7.892395931401988
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                                                                                                                                      MD5:529795E0B55926752462CBF32C14E738
                                                                                                                                                                                                                      SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                                                                                                                                      SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                                                                                                                                      SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD84EF.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):280
                                                                                                                                                                                                                      Entropy (8bit):3.528155916440219
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:AA7B919B21FD42C457948DE1E2988CB3
                                                                                                                                                                                                                      SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                                                                                                                                                                                                      SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                                                                                                                                                                                                      SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD882E.tmp\Slate.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2357051
                                                                                                                                                                                                                      Entropy (8bit):7.929430745829162
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                                                                                                                                      MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                                                                                                                                      SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                                                                                                                                      SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                                                                                                                                      SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD882E.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):276
                                                                                                                                                                                                                      Entropy (8bit):3.516423078177173
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:5402138088A9CF0993C08A0CA81287B8
                                                                                                                                                                                                                      SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                                                                                                                                                                                                      SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                                                                                                                                                                                                      SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8987.tmp\Damask.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2218943
                                                                                                                                                                                                                      Entropy (8bit):7.942378408801199
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                                                                                                                                      MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                                                                                                                                      SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                                                                                                                                      SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                                                                                                                                      SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8987.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):278
                                                                                                                                                                                                                      Entropy (8bit):3.544065206514744
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                                                                                                                                                                                                      SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                                                                                                                                                                                                      SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                                                                                                                                                                                                      SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8EE9.tmp\Mesh.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3078052
                                                                                                                                                                                                                      Entropy (8bit):7.954129852655753
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                                                                                                                                      MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                                                                                                                                      SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                                                                                                                                      SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                                                                                                                                      SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8EE9.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):274
                                                                                                                                                                                                                      Entropy (8bit):3.5303110391598502
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                                                                                                                                                                                                      SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                                                                                                                                                                                                      SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                                                                                                                                                                                                      SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8F0A.tmp\Main_Event.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2924237
                                                                                                                                                                                                                      Entropy (8bit):7.970803022812704
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                                                                                                                                      MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                                                                                                                                      SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                                                                                                                                      SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                                                                                                                                      SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD8F0A.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):286
                                                                                                                                                                                                                      Entropy (8bit):3.5434534344080606
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:C9812793A4E94320C49C7CA054EE6AA4
                                                                                                                                                                                                                      SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                                                                                                                                                                                                      SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                                                                                                                                                                                                      SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD90C1.tmp\Vapor_Trail.thmx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3611324
                                                                                                                                                                                                                      Entropy (8bit):7.965784120725206
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                                                                                                                                      MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                                                                                                                                      SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                                                                                                                                      SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                                                                                                                                      SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD90C1.tmp\content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):288
                                                                                                                                                                                                                      Entropy (8bit):3.5359188337181853
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                                                                                                                                                                                                      MD5:0FEA64606C519B78B7A52639FEA11492
                                                                                                                                                                                                                      SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                                                                                                                                                                                                      SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                                                                                                                                                                                                      SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD9259.tmp\Content.inf

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):274
                                                                                                                                                                                                                      Entropy (8bit):3.4699940532942914
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                                                                                                                                                                                                      MD5:55BA5B2974A072B131249FD9FD42EB91
                                                                                                                                                                                                                      SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                                                                                                                                                                                                      SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                                                                                                                                                                                                      SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TCD9259.tmp\Insight design set.dotx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3465076
                                                                                                                                                                                                                      Entropy (8bit):7.898517227646252
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                                                                                                                                      MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                                                                                                                                      SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                                                                                                                                      SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                                                                                                                                      SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7B2C.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):31562
                                                                                                                                                                                                                      Entropy (8bit):7.81640835713744
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                                                                                                                                                                                                      MD5:1D6F8E73A0662A48D332090A4C8C898F
                                                                                                                                                                                                                      SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                                                                                                                                                                                                      SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                                                                                                                                                                                                      SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7B2D.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):23597
                                                                                                                                                                                                                      Entropy (8bit):7.692965575678876
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                                                                                                                                                                                                      MD5:7C645EC505982FE529D0E5035B378FFC
                                                                                                                                                                                                                      SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                                                                                                                                                                                                      SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                                                                                                                                                                                                      SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7B2E.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20457
                                                                                                                                                                                                                      Entropy (8bit):7.612540359660869
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                                                                                                                                                                                                      MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                                                                                                                                                                                                      SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                                                                                                                                                                                                      SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                                                                                                                                                                                                      SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7B60.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):22340
                                                                                                                                                                                                                      Entropy (8bit):7.668619892503165
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                                                                                                                                                                                                      MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                                                                                                                                                                                                      SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                                                                                                                                                                                                      SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                                                                                                                                                                                                      SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7B61.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):31083
                                                                                                                                                                                                                      Entropy (8bit):7.814202819173796
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                                                                                                                                                                                                      MD5:89A9818E6658D73A73B642522FF8701F
                                                                                                                                                                                                                      SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                                                                                                                                                                                                      SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                                                                                                                                                                                                      SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7B62.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):28911
                                                                                                                                                                                                                      Entropy (8bit):7.7784119983764715
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                                                                                                                                                                                                      MD5:6D787B1E223DB6B91B69238062CCA872
                                                                                                                                                                                                                      SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                                                                                                                                                                                                      SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                                                                                                                                                                                                      SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7B63.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):21111
                                                                                                                                                                                                                      Entropy (8bit):7.6297992466897675
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                                                                                                                                                                                                      MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                                                                                                                                                                                                      SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                                                                                                                                                                                                      SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                                                                                                                                                                                                      SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7B64.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):31008
                                                                                                                                                                                                                      Entropy (8bit):7.806058951525675
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                                                                                                                                                                                                      MD5:E033CCBC7BA787A2F824CE0952E57D44
                                                                                                                                                                                                                      SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                                                                                                                                                                                                      SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                                                                                                                                                                                                      SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BA8.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):31835
                                                                                                                                                                                                                      Entropy (8bit):7.81952379746457
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                                                                                                                                                                                                      MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                                                                                                                                                                                                      SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                                                                                                                                                                                                      SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                                                                                                                                                                                                      SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BA9.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):22149
                                                                                                                                                                                                                      Entropy (8bit):7.659898883631361
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                                                                                                                                                                                                      MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                                                                                                                                                                                                      SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                                                                                                                                                                                                      SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                                                                                                                                                                                                      SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BAA.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):19288
                                                                                                                                                                                                                      Entropy (8bit):7.570850633867256
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                                                                                                                                                                                                      MD5:B9A6FF715719EE9DE16421AB983CA745
                                                                                                                                                                                                                      SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                                                                                                                                                                                                      SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                                                                                                                                                                                                      SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BBA.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):21357
                                                                                                                                                                                                                      Entropy (8bit):7.641082043198371
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                                                                                                                                                                                                      MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                                                                                                                                                                                                      SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                                                                                                                                                                                                      SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                                                                                                                                                                                                      SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BBB.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):30957
                                                                                                                                                                                                                      Entropy (8bit):7.808231503692675
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                                                                                                                                                                                                      MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                                                                                                                                                                                                      SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                                                                                                                                                                                                      SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                                                                                                                                                                                                      SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BBC.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):31471
                                                                                                                                                                                                                      Entropy (8bit):7.818389271364328
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                                                                                                                                                                                                      MD5:91AADBEC4171CFA8292B618492F5EF34
                                                                                                                                                                                                                      SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                                                                                                                                                                                                      SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                                                                                                                                                                                                      SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BBD.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):31605
                                                                                                                                                                                                                      Entropy (8bit):7.820497014278096
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                                                                                                                                                                                                      MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                                                                                                                                                                                                      SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                                                                                                                                                                                                      SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                                                                                                                                                                                                      SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BBE.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):33610
                                                                                                                                                                                                                      Entropy (8bit):7.8340762758330476
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                                                                                                                                                                                                      MD5:51804E255C573176039F4D5B55C12AB2
                                                                                                                                                                                                                      SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                                                                                                                                                                                                      SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                                                                                                                                                                                                      SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BBF.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20235
                                                                                                                                                                                                                      Entropy (8bit):7.61176626859621
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                                                                                                                                                                                                      MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                                                                                                                                                                                                      SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                                                                                                                                                                                                      SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                                                                                                                                                                                                      SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BC0.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):31482
                                                                                                                                                                                                                      Entropy (8bit):7.808057272318224
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                                                                                                                                                                                                      MD5:F10DF902980F1D5BEEA96B2C668408A7
                                                                                                                                                                                                                      SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                                                                                                                                                                                                      SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                                                                                                                                                                                                      SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BC1.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20554
                                                                                                                                                                                                                      Entropy (8bit):7.612044504501488
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                                                                                                                                                                                                      MD5:486CBCB223B873132FFAF4B8AD0AD044
                                                                                                                                                                                                                      SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                                                                                                                                                                                                      SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                                                                                                                                                                                                      SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BC2.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):22594
                                                                                                                                                                                                                      Entropy (8bit):7.674816892242868
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                                                                                                                                                                                                      MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                                                                                                                                                                                                      SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                                                                                                                                                                                                      SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                                                                                                                                                                                                      SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7BE5.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):43653
                                                                                                                                                                                                                      Entropy (8bit):7.899157106666598
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                                                                                                                                                                                                      MD5:DA3380458170E60CBEA72602FDD0D955
                                                                                                                                                                                                                      SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                                                                                                                                                                                                      SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                                                                                                                                                                                                      SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C1C.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):26944
                                                                                                                                                                                                                      Entropy (8bit):7.7574645319832225
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                                                                                                                                                                                                      MD5:F913DD84915753042D856CEC4E5DABA5
                                                                                                                                                                                                                      SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                                                                                                                                                                                                      SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                                                                                                                                                                                                      SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C1D.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):46413
                                                                                                                                                                                                                      Entropy (8bit):7.9071408623961394
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                                                                                                                                                                                                      MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                                                                                                                                                                                                      SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                                                                                                                                                                                                      SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                                                                                                                                                                                                      SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C1E.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):35519
                                                                                                                                                                                                                      Entropy (8bit):7.846686335981972
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                                                                                                                                                                                                      MD5:53EE9DA49D0B84357038ECF376838D2E
                                                                                                                                                                                                                      SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                                                                                                                                                                                                      SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                                                                                                                                                                                                      SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C1F.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):21791
                                                                                                                                                                                                                      Entropy (8bit):7.65837691872985
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                                                                                                                                                                                                      MD5:7BF88B3CA20EB71ED453A3361908E010
                                                                                                                                                                                                                      SHA1:F75F86557051160507397F653D7768836E3B5655
                                                                                                                                                                                                                      SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                                                                                                                                                                                                      SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C20.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):21875
                                                                                                                                                                                                                      Entropy (8bit):7.6559132103953305
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                                                                                                                                                                                                      MD5:E532038762503FFA1371DF03FA2E222D
                                                                                                                                                                                                                      SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                                                                                                                                                                                                      SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                                                                                                                                                                                                      SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C21.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):22008
                                                                                                                                                                                                                      Entropy (8bit):7.662386258803613
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                                                                                                                                                                                                      MD5:ABBF10CEE9480E41D81277E9538F98CB
                                                                                                                                                                                                                      SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                                                                                                                                                                                                      SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                                                                                                                                                                                                      SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C32.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32833
                                                                                                                                                                                                                      Entropy (8bit):7.825460303519308
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                                                                                                                                                                                                      MD5:205AF51604EF96EF1E8E60212541F742
                                                                                                                                                                                                                      SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                                                                                                                                                                                                      SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                                                                                                                                                                                                      SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C33.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):19893
                                                                                                                                                                                                                      Entropy (8bit):7.592090622603185
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                                                                                                                                                                                                      MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                                                                                                                                                                                                      SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                                                                                                                                                                                                      SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                                                                                                                                                                                                      SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7C34.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):25314
                                                                                                                                                                                                                      Entropy (8bit):7.729848360340861
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                                                                                                                                                                                                      MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                                                                                                                                                                                                      SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                                                                                                                                                                                                      SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                                                                                                                                                                                                      SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7CBC.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):34816
                                                                                                                                                                                                                      Entropy (8bit):7.840826397575377
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                                                                                                                                                                                                      MD5:62863124CDCDA135ECC0E722782CB888
                                                                                                                                                                                                                      SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                                                                                                                                                                                                      SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                                                                                                                                                                                                      SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7D0E.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):42788
                                                                                                                                                                                                                      Entropy (8bit):7.89307894056
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                                                                                                                                                                                                      MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                                                                                                                                                                                                      SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                                                                                                                                                                                                      SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                                                                                                                                                                                                      SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7D9F.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):222992
                                                                                                                                                                                                                      Entropy (8bit):7.994458910952451
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                                                                                                                                                                                                                      MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                                                                                                                                                                                                                      SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                                                                                                                                                                                                                      SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                                                                                                                                                                                                                      SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7E0E.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):261258
                                                                                                                                                                                                                      Entropy (8bit):7.99541965268665
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                                                                                                                                                                                                      MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                                                                                                                                                                                                      SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                                                                                                                                                                                                      SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                                                                                                                                                                                                      SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7E2E.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):307348
                                                                                                                                                                                                                      Entropy (8bit):7.996451393909308
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                                                                                                                                                                                                                      MD5:0EBC45AA0E67CC435D0745438371F948
                                                                                                                                                                                                                      SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                                                                                                                                                                                                                      SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                                                                                                                                                                                                                      SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7EAE.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):271273
                                                                                                                                                                                                                      Entropy (8bit):7.995547668305345
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                                                                                                                                                                                                      MD5:21437897C9B88AC2CB2BB2FEF922D191
                                                                                                                                                                                                                      SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                                                                                                                                                                                                      SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                                                                                                                                                                                                      SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7EBF.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):230916
                                                                                                                                                                                                                      Entropy (8bit):7.994759087207758
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                                                                                                                                                                                                      MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                                                                                                                                                                                                      SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                                                                                                                                                                                                      SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                                                                                                                                                                                                      SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7EC0.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):276650
                                                                                                                                                                                                                      Entropy (8bit):7.995561338730199
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                                                                                                                                                                                                                      MD5:84D8F3848E7424CBE3801F9570E05018
                                                                                                                                                                                                                      SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                                                                                                                                                                                                                      SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                                                                                                                                                                                                                      SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab7F12.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):295527
                                                                                                                                                                                                                      Entropy (8bit):7.996203550147553
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                                                                                                                                                                                                      MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                                                                                                                                                                                                      SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                                                                                                                                                                                                      SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                                                                                                                                                                                                      SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab8118.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):723359
                                                                                                                                                                                                                      Entropy (8bit):7.997550445816903
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                                                                                                                                                                                                      MD5:748A53C6BDD5CE97BD54A76C7A334286
                                                                                                                                                                                                                      SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                                                                                                                                                                                                      SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                                                                                                                                                                                                      SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab8167.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):640684
                                                                                                                                                                                                                      Entropy (8bit):7.99860205353102
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                                                                                                                                                                                                      MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                                                                                                                                                                                                      SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                                                                                                                                                                                                      SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                                                                                                                                                                                                      SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab8168.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):698244
                                                                                                                                                                                                                      Entropy (8bit):7.997838239368002
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                                                                                                                                                                                                      MD5:E29CE2663A56A1444EAA3732FFB82940
                                                                                                                                                                                                                      SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                                                                                                                                                                                                      SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                                                                                                                                                                                                      SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab8218.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):550906
                                                                                                                                                                                                                      Entropy (8bit):7.998289614787931
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                                                                                                                                                                                                      MD5:1C12315C862A745A647DAD546EB4267E
                                                                                                                                                                                                                      SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                                                                                                                                                                                                      SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                                                                                                                                                                                                      SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab82C6.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1065873
                                                                                                                                                                                                                      Entropy (8bit):7.998277814657051
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                                                                                                                                                                                                      MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                                                                                                                                                                                                      SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                                                                                                                                                                                                      SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                                                                                                                                                                                                      SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab83C2.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):953453
                                                                                                                                                                                                                      Entropy (8bit):7.99899040756787
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                                                                                                                                                                                                      MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                                                                                                                                                                                                      SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                                                                                                                                                                                                      SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                                                                                                                                                                                                      SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab8440.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1097591
                                                                                                                                                                                                                      Entropy (8bit):7.99825462915052
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                                                                                                                                                                                                      MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                                                                                                                                                                                                      SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                                                                                                                                                                                                      SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                                                                                                                                                                                                      SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab84B0.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1310275
                                                                                                                                                                                                                      Entropy (8bit):7.9985829899274385
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                                                                                                                                                                                                      MD5:9C9F49A47222C18025CC25575337A965
                                                                                                                                                                                                                      SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                                                                                                                                                                                                      SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                                                                                                                                                                                                      SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab87CF.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1766185
                                                                                                                                                                                                                      Entropy (8bit):7.9991290831091115
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                                                                                                                                                                                                      MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                                                                                                                                                                                                      SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                                                                                                                                                                                                      SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                                                                                                                                                                                                      SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab8929.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1881952
                                                                                                                                                                                                                      Entropy (8bit):7.999066394602922
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                                                                                                                                                                                                      MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                                                                                                                                                                                                      SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                                                                                                                                                                                                      SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                                                                                                                                                                                                      SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab8D9F.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2591108
                                                                                                                                                                                                                      Entropy (8bit):7.999030891647433
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                                                                                                                                                                                                      MD5:BEB12A0464D096CA33BAEA4352CE800F
                                                                                                                                                                                                                      SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                                                                                                                                                                                                      SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                                                                                                                                                                                                      SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab8DA0.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2527736
                                                                                                                                                                                                                      Entropy (8bit):7.992272975565323
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                                                                                                                                                                                                      MD5:F256ACA509B4C6C0144D278C7036B0A8
                                                                                                                                                                                                                      SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                                                                                                                                                                                                      SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                                                                                                                                                                                                      SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab9024.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3256855
                                                                                                                                                                                                                      Entropy (8bit):7.996842935632312
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                                                                                                                                                                                                      MD5:8867BDF5FC754DA9DA6F5BA341334595
                                                                                                                                                                                                                      SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                                                                                                                                                                                                      SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                                                                                                                                                                                                      SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cab91DB.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                      Size (bytes):3417042
                                                                                                                                                                                                                      Entropy (8bit):7.997652455069165
                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                      SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                                                                                                                                                                                                      MD5:749C3615E54C8E6875518CFD84E5A1B2
                                                                                                                                                                                                                      SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                                                                                                                                                                                                      SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                                                                                                                                                                                                      SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):30
                                                                                                                                                                                                                      Entropy (8bit):1.2389205950315936
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:uVX:uV
                                                                                                                                                                                                                      MD5:0B194F86E83D9652C8CF8D9E240F8EB3
                                                                                                                                                                                                                      SHA1:1D1EB2BF4EC88AAD421ECB0188A3AB693DD2785D
                                                                                                                                                                                                                      SHA-256:40D59731D707E1887A3A7F9C3CB4F3683C4ACACEB55322A09A60D4A940011452
                                                                                                                                                                                                                      SHA-512:953062CC787AEEA76A702B3D18736E96C89BE90C9D9C7097AF7D09B54A939701A72EFB5F89DD7CDF55191C4CFA8D7BFE7B3855FD212478B2CCF4CDF936D5EA2A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:.....-........................

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Doc.LNK

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Dec 3 06:47:04 2024, mtime=Tue Dec 3 06:47:11 2024, atime=Mon Dec 2 20:13:15 2024, length=230038, window=hide
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):600
                                                                                                                                                                                                                      Entropy (8bit):4.589993550930095
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:4xtQl3HgD8fatl0kl//LiIeugDO/Rej+cccljAlxx23LXlIRo3wrlHmyayvGmZp1:8ig1l0sXLEeqcUjAULXluGya5mV
                                                                                                                                                                                                                      MD5:7B643633DB8128B81CAC8B6CBFDE8B26
                                                                                                                                                                                                                      SHA1:CD64DFC6E636947940A881348EFAD2DBF00195D8
                                                                                                                                                                                                                      SHA-256:5107F60B02DF1F310C86205124B4B4A94E3E2C7F11559262F86A8946CAD3B63E
                                                                                                                                                                                                                      SHA-512:37A5E798813A706C6E3044A8738FDB5B45F58AFEAB4E545C563128D19A843A91D8E94C1B2601C051A3DCE5909F63D088B61A8A1D511FEB85A1E3CE50A784B9E4
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:L..................F.... ....4.WE......WE......D...............................P.O. .:i.....+00.../C:\...................P.1......Y.=..intel.<......Y.=.Y.=....x.....................s..i.n.t.e.l.....Z.2......Y.. .DOC~1.DOC.B......Y.=.Y.=....y.....................,dE.D.o.c...d.o.c.x.......@...............-.......?............F.......C:\intel\Doc.docx..#.....\.....\.....\.....\.....\.....\.....\.i.n.t.e.l.\.D.o.c...d.o.c.x.`.......X.......301389...........hT..CrF.f4... .d.2=.b...,...W..hT..CrF.f4... .d.2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Generic INItialization configuration [folders]
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):41
                                                                                                                                                                                                                      Entropy (8bit):4.247557492317427
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:HqdLBCm4UcBCv:HA9hGs
                                                                                                                                                                                                                      MD5:CE7BCCD008058E0D96C85995FABBDC9F
                                                                                                                                                                                                                      SHA1:939A8927196DC4C5E90B32234C1484B72052F5A1
                                                                                                                                                                                                                      SHA-256:2AD83E8B46EF787ABC53DC07C6D648975AF14441067BCC46017DA2B1A3DEE6CC
                                                                                                                                                                                                                      SHA-512:6D2B32C16C0B0E330EDC39C20F0666CC128F5A16D82E34837D7951FE71E02B8A5BA20CD3F0ECAA58D570B110FFCCA113FC87D4CA5C4ACBE3B557B21F20CAB872
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:[misc]..Doc.LNK=0..[folders]..Doc.LNK=0..

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):562113
                                                                                                                                                                                                                      Entropy (8bit):7.67409707491542
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                                                                                                                                      MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                                                                                                                                      SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                                                                                                                                      SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                                                                                                                                      SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1649585
                                                                                                                                                                                                                      Entropy (8bit):7.875240099125746
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                                                                                                                                      MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                                                                                                                                      SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                                                                                                                                      SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                                                                                                                                      SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):558035
                                                                                                                                                                                                                      Entropy (8bit):7.696653383430889
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                                                                                                                                      MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                                                                                                                                      SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                                                                                                                                      SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                                                                                                                                      SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):570901
                                                                                                                                                                                                                      Entropy (8bit):7.674434888248144
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                                                                                                                                                      MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                                                                                                                                                      SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                                                                                                                                                      SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                                                                                                                                                      SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):523048
                                                                                                                                                                                                                      Entropy (8bit):7.715248170753013
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                                                                                                                                      MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                                                                                                                                      SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                                                                                                                                      SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                                                                                                                                      SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3078052
                                                                                                                                                                                                                      Entropy (8bit):7.954129852655753
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                                                                                                                                      MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                                                                                                                                      SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                                                                                                                                      SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                                                                                                                                      SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):777647
                                                                                                                                                                                                                      Entropy (8bit):7.689662652914981
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                                                                                                                                      MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                                                                                                                                      SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                                                                                                                                      SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                                                                                                                                      SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):924687
                                                                                                                                                                                                                      Entropy (8bit):7.824849396154325
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                                                                                                                                      MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                                                                                                                                      SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                                                                                                                                      SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                                                                                                                                      SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):966946
                                                                                                                                                                                                                      Entropy (8bit):7.8785200658952
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                                                                                                                                      MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                                                                                                                                      SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                                                                                                                                      SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                                                                                                                                      SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1204049
                                                                                                                                                                                                                      Entropy (8bit):7.92476783994848
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                                                                                                                                      MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                                                                                                                                      SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                                                                                                                                      SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                                                                                                                                      SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):486596
                                                                                                                                                                                                                      Entropy (8bit):7.668294441507828
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                                                                                                                                                      MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                                                                                                                                                      SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                                                                                                                                                      SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                                                                                                                                                      SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):976001
                                                                                                                                                                                                                      Entropy (8bit):7.791956689344336
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                                                                                                                                      MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                                                                                                                                      SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                                                                                                                                      SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                                                                                                                                      SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1463634
                                                                                                                                                                                                                      Entropy (8bit):7.898382456989258
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                                                                                                                                      MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                                                                                                                                      SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                                                                                                                                      SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                                                                                                                                      SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2218943
                                                                                                                                                                                                                      Entropy (8bit):7.942378408801199
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                                                                                                                                      MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                                                                                                                                      SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                                                                                                                                      SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                                                                                                                                      SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1750795
                                                                                                                                                                                                                      Entropy (8bit):7.892395931401988
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                                                                                                                                      MD5:529795E0B55926752462CBF32C14E738
                                                                                                                                                                                                                      SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                                                                                                                                      SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                                                                                                                                      SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2924237
                                                                                                                                                                                                                      Entropy (8bit):7.970803022812704
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                                                                                                                                      MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                                                                                                                                      SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                                                                                                                                      SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                                                                                                                                      SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2357051
                                                                                                                                                                                                                      Entropy (8bit):7.929430745829162
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                                                                                                                                      MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                                                                                                                                      SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                                                                                                                                      SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                                                                                                                                      SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3611324
                                                                                                                                                                                                                      Entropy (8bit):7.965784120725206
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                                                                                                                                      MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                                                                                                                                      SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                                                                                                                                      SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                                                                                                                                      SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1091485
                                                                                                                                                                                                                      Entropy (8bit):7.906659368807194
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                                                                                                                                      MD5:2192871A20313BEC581B277E405C6322
                                                                                                                                                                                                                      SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                                                                                                                                      SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                                                                                                                                      SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):608122
                                                                                                                                                                                                                      Entropy (8bit):7.729143855239127
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                                                                                                                                      MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                                                                                                                                      SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                                                                                                                                      SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                                                                                                                                      SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):5783
                                                                                                                                                                                                                      Entropy (8bit):7.88616857639663
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                                                                                                                                      MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                                                                                                                                      SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                                                                                                                                      SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                                                                                                                                      SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4026
                                                                                                                                                                                                                      Entropy (8bit):7.809492693601857
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                                                                                                                                      MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                                                                                                                                      SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                                                                                                                                      SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                                                                                                                                      SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4243
                                                                                                                                                                                                                      Entropy (8bit):7.824383764848892
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                                                                                                                                      MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                                                                                                                                      SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                                                                                                                                      SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                                                                                                                                      SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):16806
                                                                                                                                                                                                                      Entropy (8bit):7.9519793977093505
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                                                                                                                                      MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                                                                                                                                      SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                                                                                                                                      SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                                                                                                                                      SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):11380
                                                                                                                                                                                                                      Entropy (8bit):7.891971054886943
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                                                                                                                                      MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                                                                                                                                      SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                                                                                                                                      SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                                                                                                                                      SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):6024
                                                                                                                                                                                                                      Entropy (8bit):7.886254023824049
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                                                                                                                                      MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                                                                                                                                      SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                                                                                                                                      SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                                                                                                                                      SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):9191
                                                                                                                                                                                                                      Entropy (8bit):7.93263830735235
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                                                                                                                                      MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                                                                                                                                      SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                                                                                                                                      SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                                                                                                                                      SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4326
                                                                                                                                                                                                                      Entropy (8bit):7.821066198539098
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                                                                                                                                      MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                                                                                                                                      SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                                                                                                                                      SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                                                                                                                                      SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):7370
                                                                                                                                                                                                                      Entropy (8bit):7.9204386289679745
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                                                                                                                                      MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                                                                                                                                      SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                                                                                                                                      SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                                                                                                                                      SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):5596
                                                                                                                                                                                                                      Entropy (8bit):7.875182123405584
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                                                                                                                                      MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                                                                                                                                      SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                                                                                                                                      SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                                                                                                                                      SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3683
                                                                                                                                                                                                                      Entropy (8bit):7.772039166640107
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                                                                                                                                      MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                                                                                                                                      SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                                                                                                                                      SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                                                                                                                                      SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4888
                                                                                                                                                                                                                      Entropy (8bit):7.8636569313247335
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                                                                                                                                      MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                                                                                                                                      SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                                                                                                                                      SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                                                                                                                                      SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):6448
                                                                                                                                                                                                                      Entropy (8bit):7.897260397307811
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                                                                                                                                      MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                                                                                                                                      SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                                                                                                                                      SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                                                                                                                                      SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):5630
                                                                                                                                                                                                                      Entropy (8bit):7.87271654296772
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                                                                                                                                      MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                                                                                                                                      SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                                                                                                                                      SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                                                                                                                                      SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):6193
                                                                                                                                                                                                                      Entropy (8bit):7.855499268199703
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                                                                                                                                      MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                                                                                                                                      SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                                                                                                                                      SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                                                                                                                                      SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3075
                                                                                                                                                                                                                      Entropy (8bit):7.716021191059687
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                                                                                                                                      MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                                                                                                                                      SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                                                                                                                                      SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                                                                                                                                      SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft OOXML
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):5151
                                                                                                                                                                                                                      Entropy (8bit):7.859615916913808
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                                                                                                                                      MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                                                                                                                                      SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                                                                                                                                      SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                                                                                                                                      SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):333258
                                                                                                                                                                                                                      Entropy (8bit):4.654450340871081
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                                                                                                                                      MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                                                                                                                                      SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                                                                                                                                      SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                                                                                                                                      SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):296658
                                                                                                                                                                                                                      Entropy (8bit):5.000002997029767
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                                                                                                                                      MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                                                                                                                                      SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                                                                                                                                      SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                                                                                                                                      SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):268317
                                                                                                                                                                                                                      Entropy (8bit):5.05419861997223
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                                                                                                                                      MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                                                                                                                                      SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                                                                                                                                      SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                                                                                                                                      SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):255948
                                                                                                                                                                                                                      Entropy (8bit):5.103631650117028
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                                                                                                                                      MD5:9888A214D362470A6189DEFF775BE139
                                                                                                                                                                                                                      SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                                                                                                                                      SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                                                                                                                                      SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):251032
                                                                                                                                                                                                                      Entropy (8bit):5.102652100491927
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                                                                                                                                      MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                                                                                                                                      SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                                                                                                                                      SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                                                                                                                                      SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):284415
                                                                                                                                                                                                                      Entropy (8bit):5.00549404077789
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                                                                                                                                      MD5:33A829B4893044E1851725F4DAF20271
                                                                                                                                                                                                                      SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                                                                                                                                      SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                                                                                                                                      SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):294178
                                                                                                                                                                                                                      Entropy (8bit):4.977758311135714
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                                                                                                                                      MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                                                                                                                                      SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                                                                                                                                      SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                                                                                                                                      SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):270198
                                                                                                                                                                                                                      Entropy (8bit):5.073814698282113
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                                                                                                                                      MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                                                                                                                                      SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                                                                                                                                      SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                                                                                                                                      SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):217137
                                                                                                                                                                                                                      Entropy (8bit):5.068335381017074
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                                                                                                                      MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                                                                                                                                      SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                                                                                                                                      SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                                                                                                                                      SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):254875
                                                                                                                                                                                                                      Entropy (8bit):5.003842588822783
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                                                                                                                                      MD5:377B3E355414466F3E3861BCE1844976
                                                                                                                                                                                                                      SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                                                                                                                                      SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                                                                                                                                      SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):344303
                                                                                                                                                                                                                      Entropy (8bit):5.023195898304535
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                                                                                                                                      MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                                                                                                                                      SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                                                                                                                                      SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                                                                                                                                      SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):250983
                                                                                                                                                                                                                      Entropy (8bit):5.057714239438731
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                                                                                                                                      MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                                                                                                                                      SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                                                                                                                                      SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                                                                                                                                      SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):51826
                                                                                                                                                                                                                      Entropy (8bit):5.541375256745271
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                                                                                                                                      MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                                                                                                                                      SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                                                                                                                                      SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                                                                                                                                      SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):47296
                                                                                                                                                                                                                      Entropy (8bit):6.42327948041841
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                                                                                                                                      MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                                                                                                                                      SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                                                                                                                                      SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                                                                                                                                      SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):34415
                                                                                                                                                                                                                      Entropy (8bit):7.352974342178997
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                                                                                                                                      MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                                                                                                                                      SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                                                                                                                                      SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                                                                                                                                      SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):3465076
                                                                                                                                                                                                                      Entropy (8bit):7.898517227646252
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                                                                                                                                      MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                                                                                                                                      SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                                                                                                                                      SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                                                                                                                                      SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):18
                                                                                                                                                                                                                      Entropy (8bit):2.836591668108979
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:QETlbol9:QEiv
                                                                                                                                                                                                                      MD5:5FFBAD261CA1D087BDEA2DAA185561A0
                                                                                                                                                                                                                      SHA1:A961E6EBC140F64BC9CBD47EB820DF77764969AB
                                                                                                                                                                                                                      SHA-256:2FFE94EBE8D67CD72EE7F1D088DA8AC1B6BA2EBAB80463CC38AC10617ADF933B
                                                                                                                                                                                                                      SHA-512:DE56BFA3EF7EB40E7D40CCEC2A99795CEEEB708F7D2E47520A6F82AAC3A72D69F4887BF3C515FB0C0136AF6D04DC90E4CBF4A704E13561EC3171373ABAE1D73A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..a.l.f.o.n.s.....

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CMDBSEPTW11E9QHQSPI0.temp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                      Entropy (8bit):0.41381685030363374
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:/l:
                                                                                                                                                                                                                      MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                                                                                      SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                                                                                      SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                                                                                      SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:............

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KYRDXLUC6ZHOKF8EH9JB.temp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                      Entropy (8bit):0.41381685030363374
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:/l:
                                                                                                                                                                                                                      MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                                                                                      SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                                                                                      SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                                                                                      SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:............

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                      Entropy (8bit):0.41381685030363374
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:/l:
                                                                                                                                                                                                                      MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                                                                                      SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                                                                                      SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                                                                                      SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:............

                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF352d4.TMP (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                      Entropy (8bit):0.41381685030363374
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:/l:
                                                                                                                                                                                                                      MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                                                                                      SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                                                                                      SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                                                                                      SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:............

                                                                                                                                                                                                                      C:\Windows\Installer\4c8461.msi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):26864640
                                                                                                                                                                                                                      Entropy (8bit):7.924911310016854
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                                                                                                                                      MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                                                                                                                                      SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                                                                                                                                      SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                                                                                                                                      SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                      C:\Windows\Installer\4c8464.msi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):26864640
                                                                                                                                                                                                                      Entropy (8bit):7.924911310016854
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                                                                                                                                      MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                                                                                                                                      SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                                                                                                                                      SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                                                                                                                                      SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                      C:\Windows\Installer\MSI8991.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):169896
                                                                                                                                                                                                                      Entropy (8bit):6.068969720857241
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:jqSoP/44Yvge5XKhpKJJdu+ew+BZPHbN2e9n2p+:j5g/ve5XKhMVJSIun6+
                                                                                                                                                                                                                      MD5:B5ADF92090930E725510E2AAFE97434F
                                                                                                                                                                                                                      SHA1:EB9AFF632E16FCB0459554979D3562DCF5652E21
                                                                                                                                                                                                                      SHA-256:1F6F0D9F136BC170CFBC48A1015113947087AC27AED1E3E91673FFC91B9F390B
                                                                                                                                                                                                                      SHA-512:1076165011E20C2686FB6F84A47C31DA939FA445D9334BE44BDAA515C9269499BD70F83EB5FCFA6F34CF7A707A828FF1B192EC21245EE61817F06A66E74FF509
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._`,"..Bq..Bq..Bq..q..Bq<.q..Bq..q..Bq..q/.Bq..qh.Bq.y.q..Bq.y.q..Bq..Cq..Bq..q..Bq..q..Bq..q..Bq...q..Bq..q..BqRich..Bq........PE..L.....,a...........!.....p...$......................................................U..................................m............`..p............x.......p..........................................@............................................text....o.......p.................. ..`.rdata..M............t..............@..@.data....1... ......................@....rsrc...p....`.......$..............@..@.reloc...L...p...N...*..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\MSI8ADA.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1447471
                                                                                                                                                                                                                      Entropy (8bit):4.935928888043589
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:hMMMMMMSLLLLLLLFMMMMMMSLLLLLLLsMMMMMMSLLLLLLLi:hMMMMMMSLLLLLLLFMMMMMMSLLLLLLLsb
                                                                                                                                                                                                                      MD5:09935D887C3ED53FE077D215888F0D19
                                                                                                                                                                                                                      SHA1:B8EAB2909A151D238F93ABBF36A5B7D61AB25FF7
                                                                                                                                                                                                                      SHA-256:26BE89B58552BBA1DCD8F62BE9F51235DB7C9EEB6A800C7152AE1CB62EECF446
                                                                                                                                                                                                                      SHA-512:D3814A83E95B08FE0EEC943485FDF55636B7636F0E9B4847ED89478C430708E3DBB5BD7805FF446A36AA0A1EB0875118B8E3B83535DEF396F49DF58F496E1B7F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{77817ADF-D5EC-49C6-B987-6169BBD5345B} .Remote Manipulator System - Host..Word.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{134AA6F2-2A49-44F2-A7A5-B7B9233956FA}.....@.....@.....@.....@.......@.....@.....@.......@.... .Remote Manipulator System - Host......Rollback....B.:.0.B. .4.5.9.A.B.2.8.O.:...[1]..RollbackCleanup..#.4.0.;.5.=.8.5. .2.@.5.<.5.=.=.K.E. .D.0.9.;.>.2...$.0.9.;.:. .[.1.]....@.......@........ProcessComponents"...1.=.>.2.;.5.=.8.5. .@.5.3.8.A.B.@.0.F.8.8. .:.>.<.?.>.=.5.=.B.>.2....@.....@.....@.]....&.{74F2505E-B20A-4AED-968F-AE5B278DB38A}8.C:\Program Files (x86)\Remote Manipulator System - Host\.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}...@.......@.....@.....@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}...@.......@.....@.....@...........@....&.{00000000-0000-0000-0000-000000000000}.@.....@.....@......&.{182310A2-CD9E-4171-ACD1-3AEDD260A15F}D.C:\Program Files (x86)\Remote Manip

                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                      Entropy (8bit):1.161253569716644
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:JSbX72FjujSAGiLIlHVRpzh/7777777777777777777777777vDHF5t07x6uPp0V:JU+QI53vt016uy8F
                                                                                                                                                                                                                      MD5:8C0174358EA65B3E4EE8881325092A31
                                                                                                                                                                                                                      SHA1:69DE93C278AAE4D183114795843D5910AD883AC6
                                                                                                                                                                                                                      SHA-256:EE9B3A58AFF1A8B74DE9EE2709079C52DA9D65C1BF0DE7ABB7769CC23F298553
                                                                                                                                                                                                                      SHA-512:07755EC11B920B6F6388A6F1E79C814B24D4CB5004DB9CBC50DB3D9842F58B122F3FF5DD69B3B60E679F6D1322C820A4FC5423DF94C1B6DAD175EE7C3E5DA9C1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                      Entropy (8bit):1.9258080898398173
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:K8PhXuRc06WXOcnT5LaSKdgfdguOdghRXdgkdgpdgKdgt6Adg82SBwdgfdguOdgL:VhX1anT9aUGkOzs9t4ZqvGkOzs9rf
                                                                                                                                                                                                                      MD5:7FE5E190B00FF0D16BAF4B5BC0B3AA0B
                                                                                                                                                                                                                      SHA1:20F813238B67A8E738433BB43D6FC867624B9956
                                                                                                                                                                                                                      SHA-256:BB8CF9E783E0EBB0A7FFFDA43F7082EB4B0DBED41D3B0509A59FF5D3EE561FAA
                                                                                                                                                                                                                      SHA-512:46B8057381E0790CED7CEB283FD9D42666537FC95992AAE3DF18B985A2F383762FE92C6B99EC093DA4A1CF6586244C778DDA59A186A548137678266426881A9F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):79000
                                                                                                                                                                                                                      Entropy (8bit):5.817675016279098
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:/MAyYdTmPJbgqcnDckJ42T1IPAMxkEo2T1OtoAMxkEbK:/1U81ckJ52xVPxnK
                                                                                                                                                                                                                      MD5:E8CBBBE641AA6205C0E028CE7DC72CFE
                                                                                                                                                                                                                      SHA1:E845FB6044E5F611F4F990B76AA4762FAB6E96C9
                                                                                                                                                                                                                      SHA-256:61481606FE3FF53C9483586B4A95181D96F5679667ACCD582166069B10233D77
                                                                                                                                                                                                                      SHA-512:D12E6BBA83F1B41BB2B937B315C5CDD3ADFA60C318AD1E958D99251822810739D2C6EC75B664BBC3116B0CDBBBFA4BEBA234B8C604F303391E21CDA0C24767E5
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.........................................................................4T..(.......t0...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...t0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):70808
                                                                                                                                                                                                                      Entropy (8bit):5.60723121147002
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:RdMAyYdTmPJbgqcnDc/soJP2T1qAMxkEvQ2T1h8uAMxkE4:/1U81cLJOGxF/hxM
                                                                                                                                                                                                                      MD5:F0F36966AD2B91DBE0C8B9D4E0A1AB0E
                                                                                                                                                                                                                      SHA1:B7787445DDD42A3B4753AFC0B02B270DDC1693FC
                                                                                                                                                                                                                      SHA-256:BE3C9594F315F2CE2698DFF54F7B41F012B25BF208DD88CEA7AC92936EC84AE9
                                                                                                                                                                                                                      SHA-512:B178A35B3F0A3CA67D632901C1F0AF309F51267DFA827AE029475C63BCF2BA51694C717C94989D7E457E915DAE74B43C3C6B405113249A7B1FF0E9BAE67E0949
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...`...............P....@.........................................................................4T..(.......\................d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...\........ ..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):423064
                                                                                                                                                                                                                      Entropy (8bit):4.6899574334599645
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:c1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLL+:UjcT6uuuutMMMMMMSLLLLLLLeYTZg
                                                                                                                                                                                                                      MD5:6A9AA00C428A946F9A5C5546A458ECA0
                                                                                                                                                                                                                      SHA1:06A70B197DEE2FC106576C6719CFF046D2747396
                                                                                                                                                                                                                      SHA-256:16601981E37F2FE16B8E0EA4626ABF57013458B63D1A71C8FA3B5080F3C191F5
                                                                                                                                                                                                                      SHA-512:EADDEE089D18ED744BB1DCAAA98A8F6E201022432C55D037D2A7EF994532197EF595E44DEEF9DB0CFAE8ACA50F4AB90CEEDB49F8E920E6B4FAF6C60B6EFEDD51
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.................................v.......................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):423064
                                                                                                                                                                                                                      Entropy (8bit):4.690218208041496
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:R1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLLe:DjcT6uuuutMMMMMMSLLLLLLLeYuGVk
                                                                                                                                                                                                                      MD5:AB85C5EEAD096C4E5D0A2914C24F59B2
                                                                                                                                                                                                                      SHA1:E189F9BA583B0A4EEE1C817C9DA8A5D72A038A83
                                                                                                                                                                                                                      SHA-256:F4F656CC3CD99ABC4CFC1A70BD77C52E36D59852987BE530E131CEF8238F4BA7
                                                                                                                                                                                                                      SHA-512:E70ACF9FCA9F0378FAC97421550984FF166D8D1D83F423400B108E804CA876EA6D7517398637D64C34CC0E46C14048BB9F50C8268D993FA983DB6B0E44A9C352
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.................................>.......................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):423064
                                                                                                                                                                                                                      Entropy (8bit):4.690232052098797
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:o1U81cqS/ZJgAmxJtAqXy/yxREpU1WyY68iuuuu6AppppppppEMMMMMMMSLLLLLU:IjcT6uuuutMMMMMMSLLLLLLLeYFuv
                                                                                                                                                                                                                      MD5:03A18CE97AA1C45D834524B8A408BC17
                                                                                                                                                                                                                      SHA1:72ABD8B4AC974928684B6D089F8573C70D431808
                                                                                                                                                                                                                      SHA-256:0ACFCA29B6128E0161B4E6D93FFF7686A96128016846625763DAB7F9CE059DEF
                                                                                                                                                                                                                      SHA-512:2A2DC903E4179EC83BB4FA557FFCCE8BA3D8FC175E9C817D34BA186704ECF06A281D96D35B12B8D54FE35683030942FDC9A3A1FDFDBEAA755A60436F3C7B3483
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@........................................................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):364483
                                                                                                                                                                                                                      Entropy (8bit):5.365491356474972
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauT:zTtbmkExhMJCIpEe
                                                                                                                                                                                                                      MD5:0308999A811AB9D10BFBF7AB9879D693
                                                                                                                                                                                                                      SHA1:F74A26C715CEA0AB96EE9C7ECFA0E3D8457431B8
                                                                                                                                                                                                                      SHA-256:9D5D5B31B0F4D9ADC5D3E374BBF403A5BA90B949411017F486FD09D16333AF9B
                                                                                                                                                                                                                      SHA-512:3139EB00463CB6F42BF80A2D7FB20388240E65C8972946120F9745E773E8FFEFF9EA1FFB463587998AB55E7370220BF681A9ECF8B364B2154E2863F1AD97AD51
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):55
                                                                                                                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):6544
                                                                                                                                                                                                                      Entropy (8bit):6.429559611327131
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:Ez88fedNBkYmpEiaDE5XFO06rYCqRXUBQv/dJIy7/:XvdMEiaDE5XMrhQv/dJIy7
                                                                                                                                                                                                                      MD5:A3796AB67F070EA6658EFF00B2E28C93
                                                                                                                                                                                                                      SHA1:CDD319F9CD83861632E0976CB57A8753C93F9229
                                                                                                                                                                                                                      SHA-256:E388C3C7067FBF804A2DFA07D33F0192814282E7FC75609F8D57D9ECA39B1F74
                                                                                                                                                                                                                      SHA-512:1C3A70C12BE77D16EFDF1B386B73ECA98A7CA87671980B7D898D3CBBA3631AEA907224B722F4B4B3400A12221C662BA29BB0B51A0C40E9B7FD3FE60A490345CC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:0...0..t...0...*.H........0Y1.0...U....BE1.0...U....GlobalSign nv-sa1/0-..U...&GlobalSign GCC R45 CodeSigning CA 2020..241203055448Z..241210055447Z0...0...$....oZ&....240813120056Z0...z..t{..|...210126064802Z0...b.....$......210222211006Z0...KOY7A.HI.._e..210222211004Z0...r..'wi..]..n..210222211002Z0....&......e...210222212203Z0...s..........S..210222212205Z0...<.r8>.,......240904080004Z0....!.Z.j.....o..240906101526Z0...&e.....U.....240916183602Z0...2p'.]A..AL..210225044747Z0+...>.".K.y..<...210226150613Z0.0...U.......0...6..C..M.1...210308171016Z0...5.L<ea..X|.e..210326070003Z0......%...R~..v..210528124802Z0...wP...:^....M..210709151203Z0...i#c~c...x0W...210406072402Z0...H.....?..a...210428153602Z0+..s...O...a.I..210503115753Z0.0...U.......0...Y.Y....^.^...210524083602Z0+....iW..(v..9...210604033751Z0.0...U.......0...~.T..!...h.}..210604164111Z0......q..k.0.u...210615133333Z0...\C...."{......210621174758Z0..._Kx.B.........210622165609Z0...*..U...$......210712152133Z0

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1712
                                                                                                                                                                                                                      Entropy (8bit):7.591719202977513
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24:Vk1I3jh1pD2HwgnJD8Xm3BP4whFPSGBAS7jF78oekZdCrphruWeI8h6FfymkBZGN:d1xGnt8W3BvDj9BdCusxIsfLamo3T6
                                                                                                                                                                                                                      MD5:C6AB6B4A31AD48F68089E6B7B8922082
                                                                                                                                                                                                                      SHA1:28C257DAD9B1DFEF52B28090E118FE538F6D0811
                                                                                                                                                                                                                      SHA-256:F0A9F73221A0ACF764C9971520BF9B6CF9A9968499445227132303A248B9E0B0
                                                                                                                                                                                                                      SHA-512:C16D17546E37D9FACAFE8B504D476FB028F1029F805612FF04AF82A8803FD7EC636904E7120D54CE8C5666719460341BBD5768DF628A1D08507616D505763CE0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0..........j.....*.t......*..20241203054027Z0s0q0I0...+..............B..M.%..Dg..5 .....F...x9...C.VP..;..w.......T..r...G....20241203054027Z....20241207054026Z0...*.H.............)..n....Q.K.w.N.g.......A[2|.+. ^..-]...<S.Vr.C....p&o..x;.fq....q....yh.f.zygY2..P@.W.t..K.N$..\..Wq..sod...(f.~g.t..s&.j.8.Q....3.4...!.r..{...z....W./4.7|...ay.. ......Jc../'l_..5.+5...w3.^....0.X.I....$z.+.\.=..Y./.....a.....<..j...+../5.G.~.>.....0...0...0............|.w.7@$.L.!...0...*.H........0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450...240717031756Z..250215000000Z0g1.0...U....BE1.0...U....GlobalSign nv-sa1=0;..U...4GlobalSign Code Signing Root R45 - OCSP 1.2 202411070.."0...*.H.............0............U...;..pc+..o.K..0...6.'...F.C..}.....%E..F.q.-\.u{..$.....#8.,{...^OEQ..P..~ZU..f.0........Ky+..(..q.............sy...e.0...Z.]X1.A....z.....g.p.{.~,u.0R..f.SOx".Q_.{......`T.&[&2..P|.......h.Z(A;.3.]$...k`.

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1680
                                                                                                                                                                                                                      Entropy (8bit):7.609103808405835
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:+sR2QSKyg2G237nIxCw5DgSUnpU446J8WpNTE:F9Z2N37n4Cw5MSiw6mOTE
                                                                                                                                                                                                                      MD5:9B7CEE7FC2507E7B498924A5DD1F64B7
                                                                                                                                                                                                                      SHA1:703360D20DC050704F9E518722F1EB59E07D237F
                                                                                                                                                                                                                      SHA-256:406E6229A2C02CEA8A1314AB7D8437BBFA0341CE545E196B28F9A2990252ABBD
                                                                                                                                                                                                                      SHA-512:9C20F9FFE6EF56534678A3FB7CC3882602FF772BA893279437D32026AAACC83F8F7EA442C9D438593DA21AFAFF640903ECA604BEE302C5CB2A7ED7841D504CB0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:0..........0.....+.....0.....r0..n0............`...H,.&...=...20241203052001Z0o0m0E0...+...........r...nK..._..[.Q.....$..kw...Y.!gdv.x..vF...M...k3....20241203052001Z....20241207052000Z0...*.H................ih..]."...h.vc..]f.......M=|..Z./.......`.....I...:.AP&.%.rn..6"..Z...7UD,...D.N.W.!..K..B.B;.!.....j...Z....\......C.L>..N...-.y.xM....%...)...p...?o.,.....@U..Q...G......... ...u*.pQZ...y<$Q..9....-.y.Rr.%....V..}...!N.?..s.z.X..>D/...F...l....0...0...0..........f3...z.....0...*.H........0Y1.0...U....BE1.0...U....GlobalSign nv-sa1/0-..U...&GlobalSign GCC R45 CodeSigning CA 20200...240920234113Z..241221234112Z0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'gsgccr45codesignca2020CA OCSP Responder0.."0...*.H.............0.........+..6b.I...$...f.C.K?}.s...r;.y.m,]q.....@.N.2..x.F5Y........%.).....>.yH.....*.\.9.<..ns..,..jQ.....~..V.N..Y.........8.a..Rg..A3....[.p<......by..Y.y...9....7%.%.i$..I..T~........2i....R..rW..~.!..e...;....\.9;<L.._..I.Fe.

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1435
                                                                                                                                                                                                                      Entropy (8bit):7.512406297170673
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24:qFVjIZwF1jqmvfagpNORwfF7YpQfvmE1yPq8hruWa2tHP+HLuuDXXWLaH:iSuF1jqgfvORK9q3nPq4uRY4LuubXv
                                                                                                                                                                                                                      MD5:FB64D17430ADF5FA8629690D4BD179EF
                                                                                                                                                                                                                      SHA1:5432DE65FA17D02D7B62683E48E306471D22D943
                                                                                                                                                                                                                      SHA-256:28980FB3D5245F81736F6233894B6D3C0CD17062FCA4B51192C138605E9E9CB9
                                                                                                                                                                                                                      SHA-512:B7D9D9372461B71B9EC5AA11034CD6D88CD850D6F86256FA756494DF8896F2768938E4C21A7620E053A46BC08A7B1E55F2782B2FBD2EAA1E78569F3A3E0FDE98
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:0..........0.....+.....0.....}0..y0......$L..|6..h(4.]........20241203044354Z0s0q0I0...+..........h.$..*y.u.3.V..G.....K...E$.MP.c.........x..BEp.A.o...T....20241203044354Z....20241207044353Z0...*.H...............J.WF.0.Q8...B.}i..'.UT...{....._._.....kG.Z.......|...H#.fH......5.},...75^,....b.EQ......1..t...=k....!L.U.gX....4W..F...........,.<.$.N....]...\.BM.N.4`.............|..\4L.s.G=.)...>.s..f.'.Sk...{xK)."|7.oy...wY.6..}T..:H6...{._).$......0...0...0............|.X........-..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...240717031720Z..250215000000Z0Y1.0...U....BE1.0...U....GlobalSign nv-sa1/0-..U...&GlobalSign Root R3 - OCSP 1.2 202411070.."0...*.H.............0..........U\m..$*.o@E.<.c.*.).S..L...HN.<W|.F .........h...zo..vk..%M.".j.P..U!/..v.Th.R..(.i..$P....^l..@qe....q.l..6....cB.:.;.KU......J..*>.....$..(.h J.6;.....N..(r).i.*...o.<-..c..2.]<.7r.../.Ni..}q...8B.LT./'...=b.>....C........"..

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A62E94087F64223B9812F11186592BA

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):222
                                                                                                                                                                                                                      Entropy (8bit):2.888868625432543
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:kkFklv7dgRXfllXlE/hRbltlOyR8rHelJlWlLltUKlrlxUXW4mgelSlj:kK5cJXl7pWhliKxlxUDmgrj
                                                                                                                                                                                                                      MD5:66E561731C67DE0A0A87F44DE5462C79
                                                                                                                                                                                                                      SHA1:FF088098A4E7AA3F409D798AACA6D1198E31DA68
                                                                                                                                                                                                                      SHA-256:E62BBD82C84FF2F31A04D80B5BBE9F0825837BF142E04079FF04C608B42ECE1A
                                                                                                                                                                                                                      SHA-512:EDBCC0958283E56F78F6523D89F044AFCF5EEA868F3088416E204D657FFEC84EF0B1F1F36CFCC02B88EFA86FAF1ED1D951222FF5AE692D6F6688F0E642144D7F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:p...... ....j..... .XE..(....................................................... .........b.GE.............b........h.t.t.p.:././.c.r.l...g.l.o.b.a.l.s.i.g.n...c.o.m./.g.s.g.c.c.r.4.5.c.o.d.e.s.i.g.n.c.a.2.0.2.0...c.r.l...

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):532
                                                                                                                                                                                                                      Entropy (8bit):3.947178126546914
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:RYdqtz/DWzJqe3KQj22iv8sFF1gUeMalCrlQNlVgfM1Iweql6aU/:eotz/DgJRjYvP+U7uCKlCM1IwRU/
                                                                                                                                                                                                                      MD5:5BEE55B27504D6B14682440C6420B674
                                                                                                                                                                                                                      SHA1:C2A57F6EE4A067D4C1BBAC29839AC871EB6DE49E
                                                                                                                                                                                                                      SHA-256:919B729D4BA1F8B41174FF3BF457262AA8AC1D570710F80F67D3E086F207A2B0
                                                                                                                                                                                                                      SHA-512:14884B701DF54A5F021ABC4BA2D2DF7CC30AC90EB3C0C06CCF9F040FC0A86D63CBE72411AF5DF74B15348BAA235DC6534D19F057197BB69B5ED867CC6A2E7E45
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:p...... ....J...?.p.XE..(................W0.EE....>.jH....................>.jH.. ........W0.EE......V...............h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.c.o.d.e.s.i.g.n.i.n.g.r.o.o.t.r.4.5./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.V.F.Z.P.5.v.q.h.C.r.t.R.N.5.S.W.f.4.0.R.n.6.N.M.1.I.A.Q.U.H.w.C.%.2.F.R.o.A.K.%.2.F.H.g.5.t.6.W.0.Q.9.l.W.U.L.v.O.l.j.s.C.E.H.e.9.D.g.O.h.t.w.j.4.V.K.s.G.c.h.D.Z.B.E.c.%.3.D...".2.8.c.2.5.7.d.a.d.9.b.1.d.f.e.f.5.2.b.2.8.0.9.0.e.1.1.8.f.e.5.3.8.f.6.d.0.8.1.1."...

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):544
                                                                                                                                                                                                                      Entropy (8bit):3.827870344229167
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:jxAOtpCW8gzfDWzf79bLgLzK8sFAY6ealztksMGH4Z+h:FTp3zfDgz9YLmvqY6mIh
                                                                                                                                                                                                                      MD5:81358269074426BD0F96689D006CC06A
                                                                                                                                                                                                                      SHA1:F7237E2153A1D8CEF00AE4708A67E673AB92EE5F
                                                                                                                                                                                                                      SHA-256:CD1CAF69629C1FFC4A17B93E725470F81A39EEFC84B11D15645444A0B4CE0961
                                                                                                                                                                                                                      SHA-512:FA9F40F452713E89220BE9459452F3165C47F6412D5A22884EB9C081173B102670065E50DAD37A04A99D6C3B84483FCB012902CF58DA0652EA92D4534DE965E5
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:p...... ....V...6C..XE..(.................o.CE....~.gH....................~.gH.. .........o.CE......V...............h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.g.s.g.c.c.r.4.5.c.o.d.e.s.i.g.n.c.a.2.0.2.0./.M.E.0.w.S.z.B.J.M.E.c.w.R.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.L.u.A.3.y.g.n.K.W.%.2.F.7.x.u.S.x.%.2.F.0.9.F.%.2.B.h.H.V.u.E.U.Q.Q.U.2.r.O.N.w.C.S.Q.o.2.t.3.0.w.y.g.W.d.0.h.Z.2.R.2.C.3.g.C.D.H.Z.G.D.p.D.i.h.E.2.3.%.2.B.Y.N.r.M.w.%.3.D.%.3.D...".7.0.3.3.6.0.d.2.0.d.c.0.5.0.7.0.4.f.9.e.5.1.8.7.2.2.f.1.e.b.5.9.e.0.7.d.2.3.7.f."...

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):508
                                                                                                                                                                                                                      Entropy (8bit):3.9808194266229227
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:3KOaPCkzVDWzFU8iv8sFt4QAfROA/pULoAQlmlEXJ:SPCkzVDgFUhv/ofROS6LofcluJ
                                                                                                                                                                                                                      MD5:A5DECDA9B1C3E6B1D19C81ED63624023
                                                                                                                                                                                                                      SHA1:3FCBB01B5C168AD798C0BC8520A885CFE1AD6BFC
                                                                                                                                                                                                                      SHA-256:22FEEA3B3BAEB0CE5444DE8D255BB16582229CAC78368FDDA3BAE5E7954C6912
                                                                                                                                                                                                                      SHA-512:61AA04385AEDC644C0A3D8DAFE85C982BC473F90B9C0BC48C56089E512FFD23CC69611241635DE1A5E611C7AC43EB15124B1F570DD89CC2F0DC1ED749CF62A65
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:p...... ....2....JsXE..(...................=E.....bH.....................bH.. ...........=E......V...............h.t.t.p.:././.o.c.s.p...g.l.o.b.a.l.s.i.g.n...c.o.m./.r.o.o.t.r.3./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.1.n.G.h.%.2.F.J.B.j.W.K.n.k.P.d.Z.I.z.B.1.b.q.h.e.l.H.B.w.Q.U.j.%.2.F.B.L.f.6.g.u.R.S.S.u.T.V.D.6.Y.5.q.L.3.u.L.d.G.7.w.C.E.H.g.D.G.E.J.F.c.I.p.B.z.2.8.B.u.O.6.0.q.V.Q.%.3.D...".5.4.3.2.d.e.6.5.f.a.1.7.d.0.2.d.7.b.6.2.6.8.3.e.4.8.e.3.0.6.4.7.1.d.2.2.d.9.4.3."...

                                                                                                                                                                                                                      C:\Windows\Temp\~DF1824809D33FF74D6.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                      Entropy (8bit):0.06843743119485104
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOZft07x6qkWrkoVky6l0t/:2F0i8n0itFzDHF5t07x6uC01
                                                                                                                                                                                                                      MD5:B23A8F32998499DA774A3479193D91FB
                                                                                                                                                                                                                      SHA1:0FE95AAD29FA238A9488C7C9BF7E1E265A18497B
                                                                                                                                                                                                                      SHA-256:3272D0750CE59B4FF12F23F507659A50D8EC4C4562130BD41A529780E660C33D
                                                                                                                                                                                                                      SHA-512:DBF24A27950DB9528F76E5FCD10F74518083DBBEBB583EA4CDD4295B3122B16640F7AA9C5E3D27DF38E2B0B40E89FF575FA3BBAF249FC0DBB25A4CAA9F7FB30E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF233B17258DCCB5E2.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF411F62FE6F19CCE4.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF5418320E456EEBB7.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                      Entropy (8bit):1.5177994720608723
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:hwPuUNvcFXOzT5XUkyqaSKdgfdguOdghRXdgkdgpdgKdgt6Adg82SBwdgfdguOd2:qPMuTZtxaUGkOzs9t4ZqvGkOzs9rf
                                                                                                                                                                                                                      MD5:A7B5C8536EE27AD82589394EE5C17E25
                                                                                                                                                                                                                      SHA1:6A81D8C0355AABBA18F89274B86395D3E16DDE90
                                                                                                                                                                                                                      SHA-256:089E81FD957B5421B404F156EA7CF2E0EF281BDBB673304109A725FBA419D7DA
                                                                                                                                                                                                                      SHA-512:F86048CCDB3C934B7DEA8A5FA5E1B593D7DBBCF2695BCBD267848B982784C5B65D336039425FD3A36887B3A86556C798437A5969562212B74B28BB16D53A95BB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF5B69EE6DA6F4EE26.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF60201421137453CA.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                      Entropy (8bit):1.5177994720608723
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:hwPuUNvcFXOzT5XUkyqaSKdgfdguOdghRXdgkdgpdgKdgt6Adg82SBwdgfdguOd2:qPMuTZtxaUGkOzs9t4ZqvGkOzs9rf
                                                                                                                                                                                                                      MD5:A7B5C8536EE27AD82589394EE5C17E25
                                                                                                                                                                                                                      SHA1:6A81D8C0355AABBA18F89274B86395D3E16DDE90
                                                                                                                                                                                                                      SHA-256:089E81FD957B5421B404F156EA7CF2E0EF281BDBB673304109A725FBA419D7DA
                                                                                                                                                                                                                      SHA-512:F86048CCDB3C934B7DEA8A5FA5E1B593D7DBBCF2695BCBD267848B982784C5B65D336039425FD3A36887B3A86556C798437A5969562212B74B28BB16D53A95BB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF6EA9CD4020C812D9.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):73728
                                                                                                                                                                                                                      Entropy (8bit):0.2763605650885168
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:2IO8XSBwdgfdguOdghRXdgkdgpdgKdg4SKdgfdguOdghRXdgkdgpdgKdgt6Adg8W:HOyqvGkOzs94UGkOzs9t4H
                                                                                                                                                                                                                      MD5:1DE9B4955BB8E58482C0E31947122055
                                                                                                                                                                                                                      SHA1:0382C8969874A929D22EC117E15BC395EBD4C86D
                                                                                                                                                                                                                      SHA-256:CBF7317E945282778AB4F12D26B4AFB7CBF380BFE761D810FB661F7D540104DD
                                                                                                                                                                                                                      SHA-512:C88CA4AD19F9BFC96814AD8EF0B3E6DED2C61113EBBA7C3BCD975E70A8C5AAF78818A81F247D19C2F6FFE05DEE8D85C6EF25416E1559332F18D7597687A031C3
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF80306864950BFED2.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                      Entropy (8bit):1.9258080898398173
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:K8PhXuRc06WXOcnT5LaSKdgfdguOdghRXdgkdgpdgKdgt6Adg82SBwdgfdguOdgL:VhX1anT9aUGkOzs9t4ZqvGkOzs9rf
                                                                                                                                                                                                                      MD5:7FE5E190B00FF0D16BAF4B5BC0B3AA0B
                                                                                                                                                                                                                      SHA1:20F813238B67A8E738433BB43D6FC867624B9956
                                                                                                                                                                                                                      SHA-256:BB8CF9E783E0EBB0A7FFFDA43F7082EB4B0DBED41D3B0509A59FF5D3EE561FAA
                                                                                                                                                                                                                      SHA-512:46B8057381E0790CED7CEB283FD9D42666537FC95992AAE3DF18B985A2F383762FE92C6B99EC093DA4A1CF6586244C778DDA59A186A548137678266426881A9F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF8EC37834380B27B3.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                      Entropy (8bit):1.5177994720608723
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:hwPuUNvcFXOzT5XUkyqaSKdgfdguOdghRXdgkdgpdgKdgt6Adg82SBwdgfdguOd2:qPMuTZtxaUGkOzs9t4ZqvGkOzs9rf
                                                                                                                                                                                                                      MD5:A7B5C8536EE27AD82589394EE5C17E25
                                                                                                                                                                                                                      SHA1:6A81D8C0355AABBA18F89274B86395D3E16DDE90
                                                                                                                                                                                                                      SHA-256:089E81FD957B5421B404F156EA7CF2E0EF281BDBB673304109A725FBA419D7DA
                                                                                                                                                                                                                      SHA-512:F86048CCDB3C934B7DEA8A5FA5E1B593D7DBBCF2695BCBD267848B982784C5B65D336039425FD3A36887B3A86556C798437A5969562212B74B28BB16D53A95BB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DFA8B1924BBC12C010.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DFB3316AFA2177D592.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DFE3A813CDEEC74590.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                      Entropy (8bit):1.9258080898398173
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:K8PhXuRc06WXOcnT5LaSKdgfdguOdghRXdgkdgpdgKdgt6Adg82SBwdgfdguOdgL:VhX1anT9aUGkOzs9t4ZqvGkOzs9rf
                                                                                                                                                                                                                      MD5:7FE5E190B00FF0D16BAF4B5BC0B3AA0B
                                                                                                                                                                                                                      SHA1:20F813238B67A8E738433BB43D6FC867624B9956
                                                                                                                                                                                                                      SHA-256:BB8CF9E783E0EBB0A7FFFDA43F7082EB4B0DBED41D3B0509A59FF5D3EE561FAA
                                                                                                                                                                                                                      SHA-512:46B8057381E0790CED7CEB283FD9D42666537FC95992AAE3DF18B985A2F383762FE92C6B99EC093DA4A1CF6586244C778DDA59A186A548137678266426881A9F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\intel\Doc.docx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\442.docx.exe
                                                                                                                                                                                                                      File Type:Microsoft Word 2007+
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):230038
                                                                                                                                                                                                                      Entropy (8bit):7.636957641054668
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:nzyKKhARKP6+FeRJhaigk8Ukyhxv8vyNrwyJN2EiXo4EaCNSltkprZvyYqZtGVVu:nzyKKhEKBSf/vv8vyNjz9oltkyYzcZ
                                                                                                                                                                                                                      MD5:773D2787D661474A840B907C8A22D4E9
                                                                                                                                                                                                                      SHA1:A6A0E3C4AB4063BC74C65D6EC0CB43B67F1D767F
                                                                                                                                                                                                                      SHA-256:BA82FE356B21118D92B04A74EF8466A59F4802FD9B061F6E9A28E16CF7A5A8B3
                                                                                                                                                                                                                      SHA-512:7EC868F9B7B47A757BBB5ABF5639F97C47D79AC55DD07954F3EEE93384B555F7C4C817B687C8C486DC97F4174A8CC04DEED342E8ADD6EA2EDB5EE381FC612BEA
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:PK..........!..A..f...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E........tQUUH.},.HM?...../....;@..(..I6H0s.=.xF..V..|...d..H..[!M....[.H....LY.9.B ....h.u..T...E......Y.....z."...:..X..~0x...&... ....l.b.......$.Mc....+..@.j<.p.a.).Y.:].q@..2T.=a!].........}...R@2e>.3.]tm....Fev....-...Wn.[.!.w.*k+.I.....q. \.....Qp...s/...W..c..R`...\....xj.....mNEb..[.p.....?..:...(O.um"Z.=.T.@.8.M.8........PK..........!.........N......._rels/.rels ...(...........................

                                                                                                                                                                                                                      C:\intel\Word.msi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\442.docx.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: RMS - Host 7.2, Comments: This installer contains the logic and data to install RMS - Host 7.2, Keywords: Installer,MSI,Database, Subject: RMS - Host 7.2, Author: TektonIT, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Jul 18 02:24:09 2024, Create Time/Date: Thu Jul 18 02:24:09 2024, Last Printed: Thu Jul 18 02:24:09 2024, Revision Number: {134AA6F2-2A49-44F2-A7A5-B7B9233956FA}, Code page: 1251, Template: Intel;1049
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):26864640
                                                                                                                                                                                                                      Entropy (8bit):7.924911310016854
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:393216:3fWbJGFHH0km5pmwUs1211e50MRZDzPHPRn9xrUVaWILZPLM4ShshVK6KZ478Qic:3fRLmf21sq8P50dILZPLzVK6D
                                                                                                                                                                                                                      MD5:24F15E659ECB67862F4C6E72726BFCA7
                                                                                                                                                                                                                      SHA1:75D90172D7A315A31A484629DC8573367F3E544A
                                                                                                                                                                                                                      SHA-256:F11C06F1FD567E26FB4CE9999749516B6E47ADE4EE0B7B875A75A5CBFB74DC04
                                                                                                                                                                                                                      SHA-512:913C9FB7FDCA7F9F7DD7077C34092E76E42D88802406C9A5F6E8AA0C21E4F21FEE850A39B95982EFE9ED4A2D022A95C30739CC20DC65F3C6722B6022D8F76B3C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...@...T...B...C...D...E...F...G...H...I...J...O...L...N...n.......P...Q...R...U...........Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                      C:\intel\~$Doc.docx

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):162
                                                                                                                                                                                                                      Entropy (8bit):4.674331005300397
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:t4qKF0n4ejBl4XRre0HmzFG+u+MlEM4n:JK+4ejBlYRreAmM+u+KEHn
                                                                                                                                                                                                                      MD5:CB062ED57A6ED1FA07DC763E259B4CC7
                                                                                                                                                                                                                      SHA1:AC0B7D3E0868C34C2DE4457266044594E6F98339
                                                                                                                                                                                                                      SHA-256:96A78DD90CAB162D8A1EE5B7DE88220DC15F2886DCBC550F978E2D3513306F4C
                                                                                                                                                                                                                      SHA-512:5DF6F437961E3CAB96299EF9D65E4778D9F47EE66D966F5BA94AC2471637FE207D7E92ADF58189036F0BB96CA55B91055446D0E9859DBEA04DC0729D141ABD39
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..........................................................m......6..o......Y]lW..R.KIY..R.+k.m.Yv2.}...Ou{=.W.^m.7E}'...C..EWE.......+h.....}.j.....V...=_j

                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                      Entropy (8bit):7.998140922332344
                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                      File name:442.docx.exe
                                                                                                                                                                                                                      File size:25'141'051 bytes
                                                                                                                                                                                                                      MD5:fb8117b1a3f0924100fbc209dbbb1bb1
                                                                                                                                                                                                                      SHA1:9d18c954eae8e8f8437d4e32d0b685f3f51b982b
                                                                                                                                                                                                                      SHA256:beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
                                                                                                                                                                                                                      SHA512:fcaba4304f26eefa476202e17ca85c3f994d2086f78fa86f1d73f7d6c926825a4ac3b02ceae2d8cde3583f02fdbf87139741035368f6d4b77c4f8c790df330fd
                                                                                                                                                                                                                      SSDEEP:393216:bnD8YsCFVxnq/mIhNAl2543UCCCQrTTNi5NRmclImNm/U29ieL:bgYlFV8/1AbOrXNihH29LL
                                                                                                                                                                                                                      TLSH:14473325EE400AB1E2FAD47098159413D63C3C5DC228B2A722F997287FF7B755B67388
                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                      Icon Hash:0b03084c4e4e0383

                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Entrypoint:0x140032ee0
                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                                      Imagebase:0x140000000
                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                      Time Stamp:0x66409723 [Sun May 12 10:17:07 2024 UTC]
                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                      OS Version Major:5
                                                                                                                                                                                                                      OS Version Minor:2
                                                                                                                                                                                                                      File Version Major:5
                                                                                                                                                                                                                      File Version Minor:2
                                                                                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                                                                                      Subsystem Version Minor:2
                                                                                                                                                                                                                      Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                                                      call 00007F3F10C3C208h
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                                                      jmp 00007F3F10C3BB9Fh
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov eax, esp
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov dword ptr [eax+08h], ebx
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov dword ptr [eax+10h], ebp
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov dword ptr [eax+18h], esi
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov dword ptr [eax+20h], edi
                                                                                                                                                                                                                      inc ecx
                                                                                                                                                                                                                      push esi
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      sub esp, 20h
                                                                                                                                                                                                                      dec ebp
                                                                                                                                                                                                                      mov edx, dword ptr [ecx+38h]
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov esi, edx
                                                                                                                                                                                                                      dec ebp
                                                                                                                                                                                                                      mov esi, eax
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov ebp, ecx
                                                                                                                                                                                                                      dec ecx
                                                                                                                                                                                                                      mov edx, ecx
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov ecx, esi
                                                                                                                                                                                                                      dec ecx
                                                                                                                                                                                                                      mov edi, ecx
                                                                                                                                                                                                                      inc ecx
                                                                                                                                                                                                                      mov ebx, dword ptr [edx]
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      shl ebx, 04h
                                                                                                                                                                                                                      dec ecx
                                                                                                                                                                                                                      add ebx, edx
                                                                                                                                                                                                                      dec esp
                                                                                                                                                                                                                      lea eax, dword ptr [ebx+04h]
                                                                                                                                                                                                                      call 00007F3F10C3B023h
                                                                                                                                                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                      and al, 66h
                                                                                                                                                                                                                      neg al
                                                                                                                                                                                                                      mov eax, 00000001h
                                                                                                                                                                                                                      sbb edx, edx
                                                                                                                                                                                                                      neg edx
                                                                                                                                                                                                                      add edx, eax
                                                                                                                                                                                                                      test dword ptr [ebx+04h], edx
                                                                                                                                                                                                                      je 00007F3F10C3BD33h
                                                                                                                                                                                                                      dec esp
                                                                                                                                                                                                                      mov ecx, edi
                                                                                                                                                                                                                      dec ebp
                                                                                                                                                                                                                      mov eax, esi
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov edx, esi
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov ecx, ebp
                                                                                                                                                                                                                      call 00007F3F10C3DD47h
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov ebx, dword ptr [esp+30h]
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov ebp, dword ptr [esp+38h]
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov esi, dword ptr [esp+40h]
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      mov edi, dword ptr [esp+48h]
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      add esp, 20h
                                                                                                                                                                                                                      inc ecx
                                                                                                                                                                                                                      pop esi
                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      sub esp, 48h
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      lea ecx, dword ptr [esp+20h]
                                                                                                                                                                                                                      call 00007F3F10C2A5B3h
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      lea edx, dword ptr [00025747h]
                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                      lea ecx, dword ptr [esp+20h]
                                                                                                                                                                                                                      call 00007F3F10C3CE02h
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      jmp 00007F3F10C42FE4h
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                      int3

                                                                                                                                                                                                                      Rich Headers

                                                                                                                                                                                                                      Programming Language:
                                                                                                                                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x1558c.rsrc
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x970.reloc
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                      .text0x10000x4676e0x46800f06bb06e02377ae8b223122e53be35c2False0.5372340425531915data6.47079645411382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                      .rdata0x480000x128c40x12a002de06d4a6920a6911e64ff20000ea72fFalse0.4499003775167785data5.273999097784603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                      .data0x5b0000xe75c0x1a000dbdb901a7d477980097e42e511a94fbFalse0.28275240384615385data3.2571023907881185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                      .pdata0x6a0000x306c0x3200b0ce0f057741ad2a4ef4717079fa34e9False0.483359375data5.501810413666288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                      .didat0x6e0000x3600x4001fcc7b1d7a02443319f8fcc2be4ca936False0.2578125data3.0459938492946015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                      _RDATA0x6f0000x15c0x2003f331ec50f09ba861beaf955b33712d5False0.408203125data3.3356393424384843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                      .rsrc0x700000x1558c0x1560050f0a4d841d0856138dbb9d7187108bfFalse0.1905953033625731data5.443581422941128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                      .reloc0x860000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                      PNG0x705540xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                                                                                                                                                      PNG0x7109c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                                                                                                                                                      RT_ICON0x726480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/m0.06374955637051934
                                                                                                                                                                                                                      RT_DIALOG0x82e700x2badata0.5286532951289399
                                                                                                                                                                                                                      RT_DIALOG0x8312c0x13adata0.6560509554140127
                                                                                                                                                                                                                      RT_DIALOG0x832680xf2data0.71900826446281
                                                                                                                                                                                                                      RT_DIALOG0x8335c0x14adata0.6
                                                                                                                                                                                                                      RT_DIALOG0x834a80x314data0.47588832487309646
                                                                                                                                                                                                                      RT_DIALOG0x837bc0x24adata0.6279863481228669
                                                                                                                                                                                                                      RT_STRING0x83a080x1fcdata0.421259842519685
                                                                                                                                                                                                                      RT_STRING0x83c040x246data0.41924398625429554
                                                                                                                                                                                                                      RT_STRING0x83e4c0x1a6data0.514218009478673
                                                                                                                                                                                                                      RT_STRING0x83ff40xdcdata0.65
                                                                                                                                                                                                                      RT_STRING0x840d00x470data0.3873239436619718
                                                                                                                                                                                                                      RT_STRING0x845400x164data0.5056179775280899
                                                                                                                                                                                                                      RT_STRING0x846a40x110data0.5772058823529411
                                                                                                                                                                                                                      RT_STRING0x847b40x158data0.4563953488372093
                                                                                                                                                                                                                      RT_STRING0x8490c0xe8data0.5948275862068966
                                                                                                                                                                                                                      RT_STRING0x849f40x1c6data0.5242290748898678
                                                                                                                                                                                                                      RT_STRING0x84bbc0x268data0.4837662337662338
                                                                                                                                                                                                                      RT_GROUP_ICON0x84e240x14data1.15
                                                                                                                                                                                                                      RT_MANIFEST0x84e380x753XML 1.0 document, ASCII text, with CRLF line terminators0.39786666666666665

                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                      KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                                                                                                                                                                      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                                                                                                                      gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                      2024-12-03T08:47:38.233328+01002849354ETPRO MALWARE Remote Admin Backdoor Related Activity1192.168.2.549803111.90.147.12580TCP

                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.515091896 CET498025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.517756939 CET49804465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.517992020 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.519622087 CET498055651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.521377087 CET4980655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.522263050 CET498078080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.635766029 CET565149802111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.635898113 CET498025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.638658047 CET46549804111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.638741016 CET49804465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.638895035 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.638992071 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.639883995 CET56514980578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.639945030 CET498055651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.641918898 CET5555549806111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.641977072 CET4980655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.642234087 CET80804980778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.642281055 CET498078080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668026924 CET498025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668051958 CET498025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668170929 CET49804465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668195963 CET49804465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668247938 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668265104 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668303013 CET498055651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668330908 CET498055651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668368101 CET4980655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668390036 CET4980655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668436050 CET498078080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668456078 CET498078080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.787998915 CET565149802111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788022041 CET565149802111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788204908 CET46549804111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788255930 CET46549804111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788268089 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788276911 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788527012 CET56514980578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788532972 CET56514980578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788543940 CET5555549806111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788552999 CET5555549806111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788562059 CET80804980778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.788573980 CET80804980778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.232934952 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233238935 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233262062 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233272076 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233292103 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233328104 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.353204966 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.353216887 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.353240967 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.353250980 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.353259087 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.788727999 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.948190928 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.233191967 CET565149802111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.233304024 CET498025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.233470917 CET498025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.282239914 CET5555549806111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.282362938 CET4980655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.283157110 CET4980655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.324259043 CET498175651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.326065063 CET4981855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.354825974 CET565149802111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.405154943 CET5555549806111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.444730997 CET565149817111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.444855928 CET498175651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.446285009 CET5555549818111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.446357012 CET4981855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.449898005 CET498175651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.451394081 CET4981855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.451394081 CET4981855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.451414108 CET498175651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.569791079 CET565149817111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.571728945 CET5555549818111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.571758986 CET5555549818111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.571772099 CET565149817111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.789566040 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.948117971 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:40.805579901 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:40.948143005 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:41.821355104 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:41.865641117 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.030281067 CET565149817111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.030344009 CET498175651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.046101093 CET498175651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.046838999 CET5555549818111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.046910048 CET4981855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.081856966 CET4981855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.166512966 CET565149817111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.180402040 CET498245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.181130886 CET498235655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.183617115 CET4982555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.201788902 CET5555549818111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.287136078 CET498295651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.297142982 CET4983155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.300451994 CET565149824111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.300523996 CET498245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.300976038 CET56554982395.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.301071882 CET498235655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.303560972 CET5555549825111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.303642988 CET4982555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.306375027 CET498245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.306399107 CET498245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.306437969 CET4982555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.306463957 CET4982555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.306725979 CET498235655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.306773901 CET498235655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.407357931 CET565149829111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.407457113 CET498295651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.413752079 CET498295651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.413768053 CET498295651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.417149067 CET5555549831111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.417248011 CET4983155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.417891979 CET4983155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.417911053 CET4983155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.528366089 CET565149824111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.528383970 CET565149824111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.528392076 CET5555549825111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.528399944 CET5555549825111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.528409004 CET56554982395.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.528417110 CET56554982395.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.528419971 CET56554982395.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.537960052 CET565149829111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.537969112 CET565149829111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.651356936 CET5555549831111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.651371002 CET5555549831111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.836167097 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.948116064 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:43.852066040 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:43.948124886 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.029345036 CET56554982395.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.260607004 CET498235655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.273865938 CET56554982395.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.448137999 CET498235655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.629756927 CET498235655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.750016928 CET56554982395.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.751693010 CET498235655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.867274046 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.929361105 CET5555549825111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.930213928 CET4982555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.931533098 CET4982555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.961267948 CET565149824111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.962590933 CET498245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:44.962666988 CET498245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.038281918 CET498345651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.040731907 CET4983655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.047835112 CET5555549831111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.048579931 CET4983155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.048691034 CET4983155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.051352024 CET5555549825111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.057497978 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.070229053 CET565149829111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.070626974 CET498295651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.070689917 CET498295651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.082513094 CET565149824111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.158305883 CET565149834111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.158390999 CET498345651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.160624981 CET5555549836111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.160706997 CET4983655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.163511992 CET498345651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.163552046 CET498345651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.163888931 CET4983655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.163921118 CET4983655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.164905071 CET498405651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.166158915 CET4984155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.168534994 CET5555549831111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.169475079 CET498425655192.168.2.5109.234.156.179
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.190547943 CET565149829111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.283394098 CET565149834111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.283405066 CET565149834111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.283746004 CET5555549836111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.283785105 CET5555549836111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.284864902 CET565149840111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.284946918 CET498405651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.286010981 CET5555549841111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.286118984 CET498405651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.286128044 CET4984155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.289386034 CET565549842109.234.156.179192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.289453030 CET498425655192.168.2.5109.234.156.179
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.290191889 CET498405651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.290340900 CET4984155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.290364981 CET4984155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.290703058 CET498425655192.168.2.5109.234.156.179
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.290750980 CET498425655192.168.2.5109.234.156.179
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.406055927 CET565149840111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.410054922 CET565149840111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.410270929 CET5555549841111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.410279989 CET5555549841111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.410547972 CET565549842109.234.156.179192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.410793066 CET565549842109.234.156.179192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.410805941 CET565549842109.234.156.179192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.883369923 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:45.948306084 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:46.887161016 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:46.932508945 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.790815115 CET565149834111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.791662931 CET498345651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.791695118 CET5555549836111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.791743040 CET4983655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.793024063 CET498345651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.796750069 CET4983655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.885884047 CET498495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.886739969 CET4985055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.898582935 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.912910938 CET565149834111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.915555954 CET565149840111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.915644884 CET498405651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.915693998 CET498405651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.917252064 CET5555549836111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.948364019 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.950134039 CET5555549841111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.950193882 CET4984155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.950395107 CET4984155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:47.972033978 CET498515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.006716013 CET565149849111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.007380009 CET498495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.007721901 CET5555549850111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.007796049 CET4985055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.007968903 CET498495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.008045912 CET498495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.008397102 CET4985055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.008419991 CET4985055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.035542011 CET565149840111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.061454058 CET4985355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.070477962 CET5555549841111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.091890097 CET565149851111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.091972113 CET498515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.092672110 CET498515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.092706919 CET498515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.127820015 CET565149849111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.127957106 CET565149849111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.128362894 CET5555549850111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.128377914 CET5555549850111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.181349993 CET5555549853111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.181420088 CET4985355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.181678057 CET4985355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.181693077 CET4985355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.212615967 CET565149851111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.212661982 CET565149851111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.303617954 CET5555549853111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.303643942 CET5555549853111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.914751053 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:48.963741064 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:49.931818008 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:49.979377985 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.594746113 CET5555549850111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.594805956 CET4985055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.595000982 CET4985055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.680393934 CET565149849111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.680458069 CET498495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.680506945 CET498495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.686927080 CET565149851111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.687645912 CET498515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.691816092 CET498515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.715528965 CET5555549850111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.719670057 CET498585651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.722099066 CET4985955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.800359011 CET565149849111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.805244923 CET5555549853111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.807341099 CET4985355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.807821035 CET4985355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.811692953 CET565149851111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.814492941 CET498605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.841403008 CET565149858111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.841483116 CET498585651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.841854095 CET498585651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.841865063 CET498585651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.843379021 CET5555549859111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.843466997 CET4985955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.843732119 CET4985955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.843744993 CET4985955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.904959917 CET4986155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.927870035 CET5555549853111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.934417963 CET565149860111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.934511900 CET498605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.937072039 CET498605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.937098026 CET498605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.945969105 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.962416887 CET565149858111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.962428093 CET565149858111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.963620901 CET5555549859111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.963632107 CET5555549859111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:50.994985104 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.024909019 CET5555549861111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.025006056 CET4986155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.025347948 CET4986155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.025373936 CET4986155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.057126999 CET565149860111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.057140112 CET565149860111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.145447016 CET5555549861111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.145458937 CET5555549861111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.667651892 CET498078080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.667676926 CET498055651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.668073893 CET49804465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.685215950 CET498625651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.687216043 CET49863465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.700406075 CET498648080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.784041882 CET498658080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.787509918 CET498675651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.788220882 CET49868465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.805166960 CET56514986278.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.805243969 CET498625651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.805520058 CET498625651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.805532932 CET498625651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.808247089 CET46549863111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.808304071 CET49863465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.820298910 CET80804986478.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.821739912 CET498648080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.828911066 CET46549804111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.828922033 CET56514980578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.829229116 CET80804980778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.831343889 CET49863465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.831346035 CET49863465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.831444979 CET498648080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.831468105 CET498648080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.903887033 CET80804986578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.903963089 CET498658080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.904227972 CET498658080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.904241085 CET498658080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.909013033 CET56514986778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.909097910 CET498675651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.909329891 CET498675651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.909356117 CET498675651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.909827948 CET46549868111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.909885883 CET49868465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.910109043 CET49868465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.910145044 CET49868465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.925451040 CET56514986278.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.925509930 CET56514986278.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.951419115 CET46549863111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.951427937 CET46549863111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.951436996 CET80804986478.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.951445103 CET80804986478.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:51.962352991 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:52.010617018 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:52.025281906 CET80804986578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:52.025371075 CET80804986578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:52.029359102 CET56514986778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:52.029367924 CET56514986778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:52.029980898 CET46549868111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:52.030080080 CET46549868111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:52.977591038 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.026283026 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.452289104 CET565149858111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.452442884 CET498585651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.452505112 CET498585651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.469818115 CET5555549859111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.471705914 CET4985955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.473862886 CET4985955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.546380043 CET498735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.547125101 CET4987455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.563122034 CET565149860111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.563689947 CET498605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.565036058 CET498605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.572510958 CET565149858111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.594430923 CET5555549859111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.639607906 CET5555549861111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.639769077 CET4986155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.639909029 CET4986155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.666384935 CET565149873111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.666476965 CET498735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.667119026 CET5555549874111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.667187929 CET4987455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.670736074 CET498735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.670753002 CET498735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.670789957 CET4987455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.670804977 CET4987455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.671188116 CET498755651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.684925079 CET565149860111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.749682903 CET4987655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.759730101 CET5555549861111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.790944099 CET565149873111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.790957928 CET565149873111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.790968895 CET5555549874111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.791098118 CET5555549874111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.791398048 CET565149875111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.791486979 CET498755651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.791801929 CET498755651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.791835070 CET498755651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.869712114 CET5555549876111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.869788885 CET4987655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.870497942 CET4987655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.870518923 CET4987655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.911781073 CET565149875111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.911792040 CET565149875111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.990485907 CET5555549876111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.990497112 CET5555549876111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:53.993079901 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:54.041870117 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:55.008538008 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:55.057511091 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.024710894 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.073128939 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.265940905 CET565149873111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.266000986 CET498735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.266072989 CET498735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.334439039 CET5555549874111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.334527016 CET4987455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.334562063 CET4987455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.377346992 CET498855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.377907991 CET4988655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.385973930 CET565149873111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.455468893 CET5555549874111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.461242914 CET565149875111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.461319923 CET498755651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.461369038 CET498755651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.483047009 CET498875651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.494242907 CET5555549876111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.494304895 CET4987655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.494493961 CET4987655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.497899055 CET565149885111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.498097897 CET498855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.498255014 CET5555549886111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.499965906 CET4988655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.500260115 CET498855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.500272036 CET498855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.500308037 CET4988655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.503634930 CET4988655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.581274986 CET565149875111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.591943026 CET4988855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.604171991 CET565149887111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.604245901 CET498875651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.605108976 CET498875651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.605149984 CET498875651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.614363909 CET5555549876111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.620178938 CET565149885111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.620196104 CET565149885111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.620204926 CET5555549886111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.623517036 CET5555549886111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.711891890 CET5555549888111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.711978912 CET4988855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.712192059 CET4988855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.712205887 CET4988855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.725052118 CET565149887111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.725070953 CET565149887111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.832034111 CET5555549888111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:56.832055092 CET5555549888111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:57.025830030 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:57.075954914 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:58.039711952 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:58.088802099 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:58.575052023 CET56514980578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:58.575138092 CET46549804111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:58.575135946 CET498055651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:58.575189114 CET80804980778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:58.575189114 CET49804465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:58.575333118 CET498078080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.055378914 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.104373932 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.133785963 CET565149885111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.133843899 CET498855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.133964062 CET498855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.135036945 CET5555549886111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.135104895 CET4988655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.138216972 CET4988655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.217755079 CET498955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.226881027 CET565149887111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.226954937 CET498875651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.226991892 CET498875651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.231384993 CET4989655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.253863096 CET565149885111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.258604050 CET5555549886111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.327806950 CET498975651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.337718964 CET565149895111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.337802887 CET498955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.338025093 CET498955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.338032961 CET498955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.346966982 CET565149887111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.351361990 CET5555549896111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.351435900 CET4989655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.351618052 CET4989655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.351628065 CET4989655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.385698080 CET5555549888111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.385756016 CET4988855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.385859966 CET4988855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.442145109 CET4989855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.447789907 CET565149897111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.447935104 CET498975651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.451189041 CET498975651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.451338053 CET498975651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.457911015 CET565149895111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.457968950 CET565149895111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.471498966 CET5555549896111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.471539021 CET5555549896111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.506278992 CET5555549888111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.561989069 CET5555549898111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.562069893 CET4989855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.562834024 CET4989855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.562913895 CET4989855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.571021080 CET565149897111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.571198940 CET565149897111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.682661057 CET5555549898111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:47:59.682727098 CET5555549898111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:00.070312023 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:00.120074987 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:01.085998058 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:01.135649920 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:01.963143110 CET565149895111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:01.963223934 CET498955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:01.963334084 CET498955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:01.977197886 CET5555549896111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:01.977271080 CET4989655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:01.977314949 CET4989655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.062416077 CET499025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.063271999 CET4990355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.083369017 CET565149895111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.085796118 CET565149897111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.085896969 CET498975651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.085953951 CET498975651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.097270966 CET5555549896111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.102448940 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.151309013 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.171464920 CET499045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.182451963 CET565149902111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.182574034 CET499025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.183060884 CET499025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.183072090 CET499025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.183201075 CET5555549903111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.183259010 CET4990355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.183479071 CET4990355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.183633089 CET4990355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.186079025 CET5555549898111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.186151028 CET4989855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.186228991 CET4989855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.206008911 CET565149897111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.281068087 CET4990555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.291496992 CET565149904111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.291572094 CET499045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.291944981 CET499045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.291944981 CET499045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.302973032 CET565149902111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.303008080 CET565149902111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.303368092 CET5555549903111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.303440094 CET5555549903111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.306082010 CET5555549898111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.401000023 CET5555549905111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.401140928 CET4990555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.402487040 CET4990555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.402537107 CET4990555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.412164927 CET565149904111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.412178993 CET565149904111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.522505999 CET5555549905111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:02.522521019 CET5555549905111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:03.118411064 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:03.166887999 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.134814978 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.182528019 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.813494921 CET5555549903111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.813572884 CET4990355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.813656092 CET4990355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.851953030 CET565149902111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.852044106 CET499025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.852087021 CET499025651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.905574083 CET4991155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.906070948 CET499125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.933612108 CET5555549903111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.963234901 CET565149904111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.963299990 CET499045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.963352919 CET499045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:04.973547935 CET565149902111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.014081001 CET499145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.025660992 CET5555549911111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.025851011 CET4991155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.025935888 CET565149912111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.025990009 CET499125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.026252985 CET4991155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.026292086 CET4991155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.026326895 CET499125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.026412010 CET499125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.047388077 CET5555549905111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.047449112 CET4990555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.047503948 CET4990555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.083408117 CET565149904111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.125272989 CET4991555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.134402990 CET565149914111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.134495020 CET499145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.134773970 CET499145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.134785891 CET499145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.146575928 CET5555549911111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.146590948 CET5555549911111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.146611929 CET565149912111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.146621943 CET565149912111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.148653030 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.167401075 CET5555549905111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.198148012 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.245578051 CET5555549915111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.245661974 CET4991555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.246067047 CET4991555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.246083021 CET4991555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.254684925 CET565149914111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.254697084 CET565149914111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.366064072 CET5555549915111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:05.366086006 CET5555549915111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:06.165057898 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:06.213783026 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:06.829876900 CET498625651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:06.882025957 CET498648080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:06.888134003 CET49863465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:06.943659067 CET498658080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:06.949676991 CET498675651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:06.957108974 CET49868465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.043699980 CET56514986278.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.049006939 CET80804986478.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.049031019 CET46549863111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.055461884 CET49918465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.055751085 CET499195651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.056556940 CET499208080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.104990959 CET80804986578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.113101959 CET56514986778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.121090889 CET46549868111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.175528049 CET46549918111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.175623894 CET56514991978.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.175724983 CET49918465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.176431894 CET80804992078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.176465034 CET499195651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.176496029 CET499208080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.179781914 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.194305897 CET49918465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.194330931 CET49918465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.194359064 CET499195651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.194366932 CET499195651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.194406033 CET499208080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.194443941 CET499208080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.229383945 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.314564943 CET46549918111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.314605951 CET46549918111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.314615011 CET56514991978.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.314623117 CET56514991978.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.314690113 CET80804992078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.314722061 CET80804992078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.654501915 CET5555549911111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.654686928 CET4991155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.654733896 CET4991155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.665712118 CET565149912111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.665822029 CET499125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.665855885 CET499125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.748083115 CET499215651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.774610996 CET5555549911111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.777744055 CET4992255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.785764933 CET565149912111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.807471037 CET565149914111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.807689905 CET499145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.807720900 CET499145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.857815027 CET499235651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.869932890 CET565149921111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.870214939 CET499215651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.870740891 CET5555549915111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.871598005 CET499215651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.871671915 CET4991555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.871716022 CET4991555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.871789932 CET499215651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.897917986 CET5555549922111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.898030996 CET4992255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.898387909 CET4992255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.898401976 CET4992255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.927658081 CET565149914111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.967113972 CET4992455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.977816105 CET565149923111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.977935076 CET499235651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.978167057 CET499235651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.978177071 CET499235651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.991585016 CET565149921111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.991605997 CET5555549915111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:07.991657972 CET565149921111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.018446922 CET5555549922111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.018464088 CET5555549922111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.087213039 CET5555549924111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.087282896 CET4992455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.087515116 CET4992455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.087527037 CET4992455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.098076105 CET565149923111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.098084927 CET565149923111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.180495977 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.207506895 CET5555549924111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.207518101 CET5555549924111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:08.229378939 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:09.196041107 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:09.245028973 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.211884975 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.260653019 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.494167089 CET565149921111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.495212078 CET499215651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.495434046 CET499215651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.532778978 CET5555549922111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.532849073 CET4992255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.532887936 CET4992255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.593214035 CET4992555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.595487118 CET499265651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.615266085 CET565149921111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.651604891 CET565149923111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.653331041 CET5555549922111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.653434992 CET499235651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.653599024 CET499235651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.671603918 CET5555549924111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.671694994 CET4992455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.671823025 CET4992455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.701400995 CET499275651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.713243008 CET5555549925111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.713304996 CET4992555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.713524103 CET4992555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.713546038 CET4992555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.716212034 CET565149926111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.716301918 CET499265651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.716502905 CET499265651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.716528893 CET499265651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.716639996 CET4992855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.773431063 CET565149923111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.792320967 CET5555549924111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.821387053 CET565149927111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.821460009 CET499275651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.821649075 CET499275651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.821799040 CET499275651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.833493948 CET5555549925111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.833554983 CET5555549925111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.836431980 CET565149926111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.836448908 CET565149926111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.836522102 CET5555549928111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.836606979 CET4992855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.836780071 CET4992855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.836790085 CET4992855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.941570997 CET565149927111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.941732883 CET565149927111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.956991911 CET5555549928111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:10.957003117 CET5555549928111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:11.227197886 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:11.276288986 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:12.243112087 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:12.291892052 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.258666039 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.293746948 CET5555549925111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.293872118 CET4992555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.294891119 CET4992555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.307512999 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.328491926 CET4992955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.345138073 CET565149926111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.345237970 CET499265651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.345324039 CET499265651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.414895058 CET5555549925111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.437465906 CET499305651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.449327946 CET5555549929111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.449377060 CET565149927111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.449440002 CET4992955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.449480057 CET499275651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.449575901 CET499275651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.450150967 CET4992955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.450172901 CET4992955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.465286016 CET565149926111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.494038105 CET5555549928111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.494854927 CET4992855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.494908094 CET4992855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.546189070 CET4993155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.546288967 CET499325651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.557487011 CET565149930111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.557569981 CET499305651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.558119059 CET499305651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.558146954 CET499305651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.569411039 CET565149927111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.570076942 CET5555549929111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.570091009 CET5555549929111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.615909100 CET5555549928111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.667720079 CET5555549931111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.667732000 CET565149932111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.667790890 CET4993155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.667809010 CET499325651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.668912888 CET4993155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.668932915 CET4993155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.669567108 CET499325651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.669580936 CET499325651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.679582119 CET565149930111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.679744959 CET565149930111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.723287106 CET80804986478.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.723355055 CET498648080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.738276005 CET46549863111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.738348007 CET49863465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.778732061 CET56514986278.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.779122114 CET498625651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.789108992 CET5555549931111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.789119959 CET5555549931111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.789499998 CET565149932111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.789510012 CET565149932111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.856710911 CET56514986778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.856856108 CET498675651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.862822056 CET46549868111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.862943888 CET49868465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.872147083 CET80804986578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:13.872570992 CET498658080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:14.275768995 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:14.323178053 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:15.239939928 CET565549842109.234.156.179192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:15.289519072 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:15.291898966 CET498425655192.168.2.5109.234.156.179
                                                                                                                                                                                                                      Dec 3, 2024 08:48:15.338788033 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.117866993 CET5555549929111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.117969036 CET4992955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.118009090 CET4992955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.157635927 CET565149930111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.157689095 CET499305651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.157727957 CET499305651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.179547071 CET499335651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.179771900 CET4993455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.238279104 CET5555549929111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.279700041 CET565149930111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.289125919 CET565149932111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.289186001 CET499325651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.289237976 CET499325651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.296247005 CET5555549931111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.296305895 CET4993155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.296329975 CET4993155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.299490929 CET565149933111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.299561024 CET499335651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.299614906 CET5555549934111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.299704075 CET4993455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.299850941 CET499335651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.299865007 CET4993455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.299877882 CET4993455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.299880981 CET499335651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.305198908 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.354398966 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.388539076 CET499355651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.403681040 CET4993655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.409274101 CET565149932111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.416270971 CET5555549931111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.419934034 CET565149933111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.419945002 CET5555549934111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.420010090 CET5555549934111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.420018911 CET565149933111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.508548975 CET565149935111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.508620977 CET499355651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.508821011 CET499355651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.508876085 CET499355651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.523627043 CET5555549936111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.523730993 CET4993655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.523916006 CET4993655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.523916006 CET4993655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.628762007 CET565149935111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.628772020 CET565149935111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.643965006 CET5555549936111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:16.643985987 CET5555549936111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:17.322941065 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:17.370033979 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.337908983 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.385763884 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.891725063 CET565149933111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.891783953 CET499335651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.891835928 CET499335651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.904697895 CET499375651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.937308073 CET5555549934111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.937391996 CET4993455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:18.937553883 CET4993455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.012269020 CET565149933111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.013890982 CET4993855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.024677038 CET565149937111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.024750948 CET499375651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.024955988 CET499375651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.024992943 CET499375651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.057646990 CET5555549934111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.133928061 CET5555549938111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.134031057 CET4993855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.134295940 CET4993855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.134295940 CET4993855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.145687103 CET565149937111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.145697117 CET565149937111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.150343895 CET5555549936111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.150401115 CET4993655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.150443077 CET4993655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.182014942 CET565149935111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.182081938 CET499355651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.182126045 CET499355651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.232682943 CET499395651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.248089075 CET4994055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.254369020 CET5555549938111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.254379988 CET5555549938111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.270425081 CET5555549936111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.302133083 CET565149935111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.352329016 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.352916002 CET565149939111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.353049994 CET499395651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.353286982 CET499395651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.353296995 CET499395651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.368113995 CET5555549940111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.368202925 CET4994055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.368412971 CET4994055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.368439913 CET4994055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.401285887 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.473186970 CET565149939111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.473205090 CET565149939111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.489155054 CET5555549940111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:19.489164114 CET5555549940111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:20.367744923 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:20.416928053 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.383069992 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.432537079 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.698596954 CET565149937111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.698677063 CET499375651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.728751898 CET499375651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.804075956 CET5555549938111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.804169893 CET4993855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.813653946 CET4993855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.820696115 CET499415651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.848750114 CET565149937111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.932290077 CET4994255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.933670044 CET5555549938111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.940638065 CET565149941111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.941323042 CET499415651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.973792076 CET499415651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.973803997 CET499415651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.994502068 CET5555549940111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.994565964 CET4994055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:21.998825073 CET4994055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.024909019 CET565149939111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.026057959 CET499395651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.046231031 CET499395651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.052309036 CET5555549942111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.052413940 CET4994255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.086841106 CET4994255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.086869001 CET4994255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.094134092 CET499435651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.094258070 CET4994455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.095357895 CET565149941111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.095367908 CET565149941111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.118837118 CET5555549940111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.166223049 CET565149939111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.203515053 CET499208080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.206867933 CET5555549942111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.206918955 CET5555549942111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.210438967 CET499195651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.214215040 CET565149943111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.214225054 CET5555549944111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.217782974 CET499435651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.221828938 CET4994455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.230204105 CET49918465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.242070913 CET499435651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.242094040 CET499435651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.242221117 CET4994455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.242249966 CET4994455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.308435917 CET499458080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.313060045 CET49946465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.313381910 CET499475651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.362220049 CET565149943111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.362257004 CET565149943111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.362267971 CET5555549944111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.362384081 CET5555549944111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.369287014 CET80804992078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.373349905 CET56514991978.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.393158913 CET46549918111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.399240971 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.428442955 CET80804994578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.429781914 CET499458080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.430068970 CET499458080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.430068970 CET499458080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.432993889 CET46549946111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.433064938 CET49946465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.433243036 CET56514994778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.433311939 CET49946465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.433325052 CET49946465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.433401108 CET499475651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.433727026 CET499475651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.433727026 CET499475651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.448193073 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.550021887 CET80804994578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.550071955 CET80804994578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.553214073 CET46549946111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.553231955 CET46549946111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.553725958 CET56514994778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.553886890 CET56514994778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:23.427520990 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:23.479454994 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.430423021 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.479536057 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.561918020 CET565149941111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.565769911 CET499415651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.565941095 CET499415651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.639309883 CET5555549942111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.642108917 CET4994255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.642196894 CET4994255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.685884953 CET565149941111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.763345003 CET5555549942111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.937799931 CET499495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:24.949147940 CET4995055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.059056997 CET565149949111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.059175968 CET499495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.069139004 CET5555549950111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.069210052 CET4995055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.109136105 CET499495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.109148979 CET499495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.109292030 CET4995055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.109313011 CET4995055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.229398012 CET565149949111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.229415894 CET565149949111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.229435921 CET5555549950111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.229444981 CET5555549950111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.445736885 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:25.495068073 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:26.461997032 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:26.510709047 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.477374077 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.526338100 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.687628984 CET565149949111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.687802076 CET499495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.704982996 CET5555549950111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.706908941 CET499495651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.706979990 CET4995055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.717858076 CET4995055555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.809904099 CET499515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.810024023 CET4995255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.827799082 CET565149949111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.838157892 CET5555549950111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.930036068 CET565149951111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.930048943 CET5555549952111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.930123091 CET499515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.930303097 CET4995255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.930516005 CET499515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.930548906 CET499515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.930589914 CET4995255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:27.930692911 CET4995255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:28.052608967 CET565149951111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:28.053446054 CET565149951111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:28.053494930 CET5555549952111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:28.053510904 CET5555549952111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:28.492773056 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:28.542005062 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:29.066346884 CET46549918111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:29.066385984 CET80804992078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:29.066473961 CET56514991978.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:29.066571951 CET49918465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:29.066595078 CET499208080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:29.067711115 CET499195651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:29.508445024 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:29.557547092 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.126440048 CET565149943111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.126508951 CET499435651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.126548052 CET499435651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.127634048 CET5555549944111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.127686977 CET4994455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.131575108 CET4994455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.192745924 CET499535651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.192895889 CET4995455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.246483088 CET565149943111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.253098965 CET5555549944111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.314886093 CET565149953111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.314897060 CET5555549954111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.314970970 CET499535651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.315732956 CET4995455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.317850113 CET499535651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.317861080 CET499535651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.317924976 CET4995455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.317924976 CET4995455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.437791109 CET565149953111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.437803030 CET565149953111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.437957048 CET5555549954111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.438033104 CET5555549954111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.524738073 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.533684015 CET565149951111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.533761024 CET499515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.541577101 CET499515651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.573163986 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.578548908 CET5555549952111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.578605890 CET4995255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.583539009 CET4995255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.623601913 CET499555651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.624639034 CET4995655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.662318945 CET565149951111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.703444004 CET5555549952111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.743554115 CET565149955111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.743624926 CET499555651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.744569063 CET5555549956111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.744628906 CET4995655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.747797012 CET499555651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.747807980 CET499555651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.747838020 CET4995655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.747852087 CET4995655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.867855072 CET565149955111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.867881060 CET565149955111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.867888927 CET5555549956111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:30.867898941 CET5555549956111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:31.555288076 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:31.604418039 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:32.571141958 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:32.620090961 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:32.953998089 CET5555549954111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:32.954097033 CET4995455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:32.954179049 CET4995455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:32.964463949 CET565149953111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:32.964524984 CET499535651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:32.964569092 CET499535651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.018065929 CET499575651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.019768953 CET4995855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.074593067 CET5555549954111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.084496975 CET565149953111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.138133049 CET565149957111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.138217926 CET499575651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.138523102 CET499575651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.138531923 CET499575651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.139686108 CET5555549958111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.139750004 CET4995855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.139884949 CET4995855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.139897108 CET4995855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.258419037 CET565149957111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.258639097 CET565149957111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.259865999 CET5555549958111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.259876966 CET5555549958111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.368427038 CET565149955111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.368489027 CET499555651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.368542910 CET499555651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.369693995 CET5555549956111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.369749069 CET4995655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.369796991 CET4995655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.451603889 CET4995955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.480979919 CET499605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.488786936 CET565149955111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.490257978 CET5555549956111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.542998075 CET498425655192.168.2.5109.234.156.179
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.572082043 CET5555549959111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.572302103 CET4995955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.572546959 CET4995955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.572556019 CET4995955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.586343050 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.601007938 CET565149960111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.601114988 CET499605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.601366997 CET499605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.601380110 CET499605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.635688066 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.663362026 CET565549842109.234.156.179192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.663415909 CET498425655192.168.2.5109.234.156.179
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.692468882 CET5555549959111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.692478895 CET5555549959111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.721287966 CET565149960111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:33.721324921 CET565149960111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:34.602797985 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:34.651335001 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.618567944 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.666970968 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.767087936 CET565149957111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.767159939 CET499575651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.767200947 CET499575651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.806668997 CET5555549958111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.806726933 CET4995855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.806768894 CET4995855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.858380079 CET499615651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.872288942 CET4996255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.887303114 CET565149957111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.926747084 CET5555549958111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.978708982 CET565149961111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.978794098 CET499615651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.979011059 CET499615651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.979032040 CET499615651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.992232084 CET5555549962111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.992315054 CET4996255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.992492914 CET4996255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:35.992505074 CET4996255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.099100113 CET565149961111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.099111080 CET565149961111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.112837076 CET5555549962111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.112847090 CET5555549962111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.203433990 CET5555549959111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.203519106 CET4995955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.203573942 CET4995955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.230901957 CET565149960111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.230987072 CET499605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.231028080 CET499605651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.295031071 CET4996355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.324109077 CET5555549959111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.325318098 CET499645651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.350979090 CET565149960111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.414985895 CET5555549963111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.415098906 CET4996355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.415357113 CET4996355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.415366888 CET4996355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.445513964 CET565149964111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.447788954 CET499645651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.448024988 CET499645651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.448035955 CET499645651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.535253048 CET5555549963111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.535317898 CET5555549963111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.567992926 CET565149964111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.568005085 CET565149964111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.633208036 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:36.682713985 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.417885065 CET499458080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.448935986 CET49946465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.449317932 CET499475651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.498925924 CET49965465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.500195980 CET499665651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.513055086 CET499678080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.581362009 CET80804994578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.609426975 CET56514994778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.609437943 CET46549946111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.618885994 CET46549965111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.619797945 CET49965465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.620059967 CET56514996678.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.620214939 CET49965465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.620225906 CET49965465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.620251894 CET499665651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.620390892 CET499665651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.620409966 CET499665651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.632998943 CET80804996778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.633820057 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.633943081 CET499678080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.634080887 CET499678080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.635744095 CET499678080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.682595968 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.740186930 CET46549965111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.740212917 CET46549965111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.740268946 CET56514996678.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.740291119 CET56514996678.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.753992081 CET80804996778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:37.755589008 CET80804996778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.578802109 CET565149961111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.578897953 CET499615651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.578946114 CET499615651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.592339993 CET499685651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.627335072 CET5555549962111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.627465963 CET4996255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.627504110 CET4996255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.649430037 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.698227882 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.698878050 CET565149961111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.701780081 CET4996955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.712466002 CET565149968111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.712557077 CET499685651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.712790966 CET499685651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.714113951 CET499685651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.747473001 CET5555549962111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.821712971 CET5555549969111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.821851015 CET4996955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.822144032 CET4996955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.822571039 CET4996955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.835184097 CET565149968111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.836074114 CET565149968111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.944449902 CET5555549969111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:38.944725990 CET5555549969111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.006119013 CET499705655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.086986065 CET565149964111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.087168932 CET499645651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.087228060 CET499645651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.087510109 CET5555549963111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.087770939 CET4996355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.087846994 CET4996355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.126162052 CET56554997095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.127886057 CET499705655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.141108990 CET499705655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.141149998 CET499705655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.148274899 CET499715651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.148334026 CET4997255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.207179070 CET565149964111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.207720041 CET5555549963111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.261132002 CET56554997095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.261149883 CET56554997095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.261168003 CET56554997095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.268357038 CET565149971111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.268368006 CET5555549972111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.268512964 CET4997255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.268512964 CET499715651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.268907070 CET499715651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.268943071 CET499715651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.268945932 CET4997255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.271753073 CET4997255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.388907909 CET565149971111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.388925076 CET565149971111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.388932943 CET5555549972111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.391644955 CET5555549972111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.665373087 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.667553902 CET499705655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.713849068 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:39.833806038 CET56554997095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:40.177005053 CET56554997095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:40.179835081 CET499705655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:40.680140018 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:40.729440928 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.388673067 CET565149968111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.388740063 CET499685651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.388798952 CET499685651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.464327097 CET5555549969111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.464392900 CET4996955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.464469910 CET4996955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.508986950 CET565149968111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.570147038 CET499735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.570276976 CET4997455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.584422112 CET5555549969111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.690383911 CET565149973111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.690398932 CET5555549974111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.690506935 CET499735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.690602064 CET4997455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.690938950 CET499735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.690974951 CET4997455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.690974951 CET499735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.691054106 CET4997455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.696115971 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.745105028 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.811352015 CET565149973111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.811410904 CET565149973111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.811475992 CET5555549974111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.811513901 CET5555549974111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.858798981 CET5555549972111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.858865976 CET4997255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.858975887 CET4997255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.860450983 CET565149971111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.860521078 CET499715651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.860734940 CET499715651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.875013113 CET4997555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.979417086 CET5555549972111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.980649948 CET565149971111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.983517885 CET499765651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.994972944 CET5555549975111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.995059967 CET4997555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.996290922 CET4997555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:41.996303082 CET4997555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.104538918 CET565149976111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.104609966 CET499765651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.105309010 CET499765651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.105330944 CET499765651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.116178036 CET5555549975111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.116187096 CET5555549975111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.226224899 CET565149976111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.226229906 CET565149976111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.711321115 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:42.760690928 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:43.711575031 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:43.763758898 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.316850901 CET46549946111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.316911936 CET49946465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.321177006 CET5555549974111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.321240902 CET4997455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.321310043 CET4997455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.353004932 CET565149973111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.353072882 CET499735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.353154898 CET499735651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.372961998 CET80804994578.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.372982979 CET56514994778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.373025894 CET499458080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.373063087 CET499475651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.391767979 CET4997755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.391890049 CET499785651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.441281080 CET5555549974111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.473206043 CET565149973111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.512007952 CET5555549977111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.512022018 CET565149978111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.512089968 CET4997755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.512125015 CET499785651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.512639046 CET4997755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.512665987 CET499785651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.512681961 CET4997755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.512795925 CET499785651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.632672071 CET5555549977111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.632695913 CET565149978111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.632714987 CET5555549977111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.632723093 CET565149978111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.727452040 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.729146957 CET565149976111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.729199886 CET499765651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.729238987 CET499765651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.776314974 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.827814102 CET499795651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.849236012 CET565149976111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.947846889 CET565149979111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.948941946 CET499795651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.949721098 CET499795651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:44.949804068 CET499795651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.070627928 CET565149979111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.070640087 CET565149979111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.105541945 CET499805655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.226057053 CET56554998095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.226273060 CET499805655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.227200031 CET499805655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.227224112 CET499805655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.228421926 CET499805655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.347367048 CET56554998095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.347415924 CET56554998095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.347516060 CET56554998095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.389983892 CET56554998095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.743325949 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:45.791949987 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:46.308291912 CET56554998095.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:46.308370113 CET499805655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:46.758915901 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:46.885731936 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.148571014 CET565149978111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.148669958 CET499785651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.148765087 CET499785651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.184071064 CET5555549977111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.185841084 CET4997755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.185900927 CET4997755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.233257055 CET499815651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.234585047 CET4998255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.268682957 CET565149978111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.305984020 CET5555549977111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.353291988 CET565149981111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.354604006 CET5555549982111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.354737997 CET499815651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.355468988 CET4998255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.355606079 CET499815651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.355777979 CET499815651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.355792999 CET4998255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.355806112 CET4998255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.475497961 CET565149981111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.475742102 CET565149981111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.475750923 CET5555549982111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.475761890 CET5555549982111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.581556082 CET565149979111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.581660032 CET499795651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.581751108 CET499795651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.670372963 CET499835651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.701741934 CET565149979111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.774060965 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.790623903 CET565149983111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.790723085 CET499835651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.791173935 CET499835651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.791173935 CET499835651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.885885000 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.911192894 CET565149983111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:47.911204100 CET565149983111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:48.789916992 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:48.885718107 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:49.805151939 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:49.885936975 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:49.956584930 CET5555549982111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:49.956650019 CET4998255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:49.956676960 CET4998255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:49.969785929 CET4998455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.026700974 CET565149981111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.027817965 CET499815651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.027863026 CET499815651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.078697920 CET499855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.079075098 CET5555549982111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.091408014 CET5555549984111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.091495037 CET4998455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.091804028 CET4998455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.091804981 CET4998455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.148216009 CET565149981111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.198853016 CET565149985111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.198956013 CET499855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.200460911 CET499855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.200469017 CET499855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.211708069 CET5555549984111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.211725950 CET5555549984111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.320413113 CET565149985111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.320425034 CET565149985111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.421179056 CET565149983111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.421232939 CET499835651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.421345949 CET499835651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.514884949 CET499865651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.541578054 CET565149983111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.597071886 CET499875655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.636238098 CET565149986111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.636347055 CET499865651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.636744022 CET499865651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.636765003 CET499865651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.718070984 CET56554998795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.718156099 CET499875655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.718751907 CET499875655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.718772888 CET499875655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.719532967 CET499875655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.756758928 CET565149986111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.756788015 CET565149986111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.820621014 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.838655949 CET56554998795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.838665962 CET56554998795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.838732004 CET56554998795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.885462046 CET56554998795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:50.885694027 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:51.782957077 CET56554998795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:51.783808947 CET499875655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:51.836523056 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:51.885888100 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.637451887 CET499665651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.637789965 CET499678080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.638211966 CET49965465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.689491987 CET5555549984111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.689562082 CET4998455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.689609051 CET4998455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.746942997 CET49988465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.748287916 CET4998955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.751908064 CET499905651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.754204035 CET499918080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.797530890 CET56514996678.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.805530071 CET46549965111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.805581093 CET80804996778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.851743937 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.853482962 CET5555549984111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.866938114 CET46549988111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.867856979 CET49988465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.868201971 CET5555549989111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.868273020 CET4998955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.868700027 CET49988465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.868700027 CET49988465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.868731976 CET4998955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.870923996 CET565149985111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.870949984 CET4998955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.870999098 CET499855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.871637106 CET499855651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.871809006 CET56514999078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.874089003 CET80804999178.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.874177933 CET499905651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.875786066 CET499918080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.882224083 CET499905651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.882236958 CET499905651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.882304907 CET499918080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.883776903 CET499918080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.922336102 CET499925651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.988687992 CET46549988111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.988707066 CET5555549989111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.988711119 CET46549988111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.990971088 CET5555549989111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:52.991561890 CET565149985111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.054910898 CET56514999078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.054958105 CET56514999078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.055006981 CET80804999178.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.055016994 CET80804999178.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.055037022 CET565149992111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.055831909 CET499925651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.056457043 CET499925651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.056477070 CET499925651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.088860989 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.176482916 CET565149992111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.176561117 CET565149992111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.306497097 CET565149986111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.306740999 CET499865651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.306792021 CET499865651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.360450029 CET499935651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.457542896 CET565149986111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.480382919 CET565149993111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.480462074 CET499935651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.481225967 CET499935651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.481373072 CET499935651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.601074934 CET565149993111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.601219893 CET565149993111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:53.868108988 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:54.088829041 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:54.883130074 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.088834047 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.452711105 CET5555549989111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.452773094 CET4998955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.452815056 CET4998955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.556232929 CET4999455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.573720932 CET5555549989111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.676713943 CET5555549994111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.679862022 CET4999455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.680633068 CET4999455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.680649042 CET4999455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.727652073 CET565149992111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.727864027 CET499925651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.728060961 CET499925651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.765484095 CET499955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.800601006 CET5555549994111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.800622940 CET5555549994111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.848830938 CET565149992111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.885531902 CET565149995111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.885792971 CET499955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.887350082 CET499955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.887362957 CET499955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:55.899111986 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.008038044 CET565149995111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.008102894 CET565149995111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.078474998 CET565149993111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.078572035 CET499935651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.078685999 CET499935651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.089091063 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.094579935 CET499965651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.175097942 CET499975655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.198625088 CET565149993111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.214607000 CET565149996111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.214704990 CET499965651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.215229988 CET499965651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.215241909 CET499965651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.295139074 CET56554999795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.295245886 CET499975655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.297629118 CET499975655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.297648907 CET499975655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.300137997 CET499975655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.335151911 CET565149996111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.335163116 CET565149996111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.404364109 CET5555549975111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.404437065 CET4997555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.404474974 CET4997555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.418654919 CET56554999795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.418663025 CET56554999795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.418670893 CET56554999795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.420295000 CET4999855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.461570978 CET56554999795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.524600983 CET5555549975111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.540335894 CET5555549998111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.540407896 CET4999855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.542968988 CET4999855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.543229103 CET4999855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.662900925 CET5555549998111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.663103104 CET5555549998111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:56.914755106 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:57.088857889 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:57.306001902 CET56554999795.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:57.306288004 CET499975655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:48:57.930202961 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.073235035 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.306092024 CET5555549994111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.306448936 CET4999455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.306513071 CET4999455555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.396773100 CET4999955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.426496983 CET5555549994111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.516874075 CET5555549999111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.516998053 CET4999955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.517371893 CET4999955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.517385960 CET4999955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.519418955 CET565149995111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.519546032 CET499955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.519714117 CET499955651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.637408018 CET5555549999111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.637423992 CET5555549999111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.639575958 CET565149995111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.650860071 CET500005651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.770906925 CET565150000111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.771922112 CET500005651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.772217989 CET500005651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.772234917 CET500005651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.839098930 CET565149996111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.839862108 CET499965651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.839943886 CET499965651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.892160892 CET565150000111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.892167091 CET565150000111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.945728064 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.960175991 CET500015651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:58.960309029 CET565149996111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.073303938 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.080502033 CET565150001111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.080699921 CET500015651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.085489035 CET500015651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.086074114 CET500015651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.186882019 CET5555549998111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.186960936 CET4999855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.187000990 CET4999855555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.205364943 CET565150001111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.205895901 CET565150001111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.299030066 CET5000255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.309714079 CET5555549998111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.419095039 CET5555550002111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.419190884 CET5000255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.420051098 CET5000255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.420063019 CET5000255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.539963961 CET5555550002111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.540050983 CET5555550002111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.551492929 CET80804996778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.551624060 CET499678080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.567086935 CET56514996678.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.568770885 CET499665651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.623330116 CET46549965111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.623434067 CET49965465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:48:59.961529970 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:00.073234081 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:00.977257013 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.088886023 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.151230097 CET5555549999111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.154052019 CET4999955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.154073000 CET4999955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.232700109 CET5000355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.274090052 CET5555549999111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.352750063 CET5555550003111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.352823973 CET5000355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.359220982 CET565150000111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.359311104 CET500005651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.359467030 CET500005651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.362351894 CET5000355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.362361908 CET5000355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.451427937 CET500045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.479676008 CET565150000111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.482284069 CET5555550003111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.482328892 CET5555550003111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.571383953 CET565150004111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.574057102 CET500045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.574275017 CET500045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.574285030 CET500045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.694725037 CET565150004111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.694744110 CET565150004111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.712574005 CET565150001111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.714020967 CET500015651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.714050055 CET500015651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.746742010 CET500055655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.783127069 CET500065651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.833954096 CET565150001111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.866612911 CET56555000595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.869908094 CET500055655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.871583939 CET500055655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.871684074 CET500055655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.872642994 CET500055655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.903049946 CET565150006111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.903127909 CET500065651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.904290915 CET500065651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.904300928 CET500065651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.978693962 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.991473913 CET56555000595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.991565943 CET56555000595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:01.991707087 CET56555000595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.024244070 CET565150006111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.024280071 CET565150006111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.033596992 CET56555000595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.048130989 CET5555550002111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.049909115 CET5000255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.049947977 CET5000255555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.088901997 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.108752012 CET5000755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.170038939 CET5555550002111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.228751898 CET5555550007111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.230026007 CET5000755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.230319977 CET5000755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.230334044 CET5000755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.350281000 CET5555550007111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.350327015 CET5555550007111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.917284966 CET56555000595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.917346001 CET500055655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:02.993144989 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:03.074424982 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:03.986090899 CET5555550003111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:03.986170053 CET5000355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:03.992989063 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.024912119 CET5000355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.104490042 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.144902945 CET5555550003111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.199171066 CET565150004111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.201843977 CET500045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.203113079 CET500045651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.256988049 CET500085651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.257241964 CET5000955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.323045969 CET565150004111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.376967907 CET565150008111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.377090931 CET5555550009111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.377183914 CET500085651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.378032923 CET5000955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.410559893 CET500085651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.410573006 CET500085651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.410635948 CET5000955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.410712004 CET5000955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.502671003 CET565150006111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.502784967 CET500065651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.502784967 CET500065651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.523477077 CET500105651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.530721903 CET565150008111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.530742884 CET565150008111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.530787945 CET5555550009111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.530842066 CET5555550009111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.622821093 CET565150006111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.643968105 CET565150010111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.644037962 CET500105651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.648597002 CET500105651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.648674011 CET500105651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.768637896 CET565150010111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.768651009 CET565150010111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.900768042 CET5555550007111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.900840998 CET5000755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.900878906 CET5000755555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:04.951880932 CET5001155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.008188963 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.021471977 CET5555550007111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.071902990 CET5555550011111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.073952913 CET5001155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.074199915 CET5001155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.074232101 CET5001155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.088932037 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.194310904 CET5555550011111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:05.194324017 CET5555550011111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:06.025361061 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:06.088854074 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:06.970364094 CET565150008111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:06.974088907 CET500085651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:06.989213943 CET500085651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.017071009 CET5555550009111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.017926931 CET5000955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.035475969 CET5000955555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.055365086 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.109412909 CET565150008111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.155484915 CET5555550009111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.249694109 CET500125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.249874115 CET5001355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.276365042 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.279057026 CET565150010111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.279113054 CET500105651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.279228926 CET500105651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.370506048 CET565150012111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.370543003 CET5555550013111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.370629072 CET500125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.373871088 CET5001355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.399159908 CET565150010111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.406514883 CET500125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.406673908 CET5001355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.406708002 CET5001355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.406810045 CET500125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.407965899 CET500145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.496064901 CET500155655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.526427031 CET565150012111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.526658058 CET5555550013111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.526667118 CET5555550013111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.526674986 CET565150012111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.528875113 CET565150014111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.528942108 CET500145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.563528061 CET500145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.564631939 CET500145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.615968943 CET56555001595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.616036892 CET500155655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.617122889 CET500155655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.617316008 CET500155655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.619522095 CET500155655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.683370113 CET565150014111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.684499979 CET565150014111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.704200029 CET5555550011111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.704277039 CET5001155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.704349995 CET5001155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.737114906 CET56555001595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.737421989 CET56555001595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.737432003 CET56555001595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.785612106 CET56555001595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.795511961 CET5001655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.824245930 CET5555550011111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.855092049 CET49988465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.870933056 CET499905651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.870934963 CET499918080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.915496111 CET5555550016111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.915617943 CET5001655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.921493053 CET5001655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.921767950 CET5001655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.924804926 CET500178080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.926640987 CET500185651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:07.926894903 CET50019465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.017616987 CET46549988111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.033658028 CET56514999078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.033668995 CET80804999178.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.041388035 CET5555550016111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.041635990 CET5555550016111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.044687986 CET80805001778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.044759989 CET500178080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.046442986 CET500178080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.046443939 CET500178080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.046479940 CET56515001878.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.046540022 CET500185651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.046722889 CET46550019111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.046797037 CET50019465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.048228979 CET500185651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.048228979 CET500185651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.048310995 CET50019465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.048332930 CET50019465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.070734024 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.167385101 CET80805001778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.167397976 CET80805001778.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.169198036 CET56515001878.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.169207096 CET56515001878.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.169217110 CET46550019111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.169358015 CET46550019111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.276426077 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.664880991 CET56555001595.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:08.664952040 CET500155655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:09.089782953 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:09.276819944 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:09.994420052 CET5555550013111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:09.997948885 CET5001355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:09.998802900 CET5001355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.000849962 CET565150012111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.000922918 CET500125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.015382051 CET500125651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.102297068 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.118710041 CET5555550013111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.132742882 CET500205651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.132930040 CET5002155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.135304928 CET565150012111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.151288986 CET565150014111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.151380062 CET500145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.152053118 CET500145651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.203546047 CET500225651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.252774954 CET565150020111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.252850056 CET5555550021111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.252932072 CET500205651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.254916906 CET5002155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.262259007 CET500205651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.262271881 CET500205651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.262315989 CET5002155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.262348890 CET5002155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.271905899 CET565150014111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.276376963 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.323523998 CET565150022111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.323673010 CET500225651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.330780029 CET500225651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.330780029 CET500225651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.382299900 CET565150020111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.382311106 CET565150020111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.382328033 CET5555550021111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.382345915 CET5555550021111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.450767040 CET565150022111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.450776100 CET565150022111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.589390039 CET5555550016111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.589478970 CET5001655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.589529991 CET5001655555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.640377998 CET5002355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.709472895 CET5555550016111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.760742903 CET5555550023111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.761969090 CET5002355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.762967110 CET5002355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.762979984 CET5002355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.882893085 CET5555550023111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:10.882915974 CET5555550023111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:11.117326021 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:11.276376963 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:12.133595943 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:12.276432991 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:12.877507925 CET565150020111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:12.879873991 CET500205651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:12.915731907 CET5555550021111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:12.915798903 CET5002155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:12.923376083 CET565150022111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:12.923438072 CET500225651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:13.150113106 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:13.276587963 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:13.361218929 CET5555550023111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:13.362517118 CET5002355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:14.164774895 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:14.385955095 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:14.779882908 CET46549988111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:14.779939890 CET49988465192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:14.793576956 CET80804999178.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:14.794212103 CET499918080192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:14.803724051 CET56514999078.138.9.142192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:14.803791046 CET499905651192.168.2.578.138.9.142
                                                                                                                                                                                                                      Dec 3, 2024 08:49:15.180325985 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:15.229469061 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:16.195723057 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:16.245116949 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:17.211978912 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:17.260735035 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:18.227633953 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:18.276355982 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:19.242338896 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:19.291975021 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.259980917 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.307610035 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.763891935 CET500205651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.763942957 CET5002155555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.764964104 CET500225651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.765618086 CET5002355555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.865797043 CET500245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.866142035 CET5002555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.884042025 CET5555550021111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.884083986 CET565150020111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.884793997 CET565150022111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.886178017 CET5555550023111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.980495930 CET500265655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.985866070 CET565150024111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.986011982 CET500245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.986044884 CET5555550025111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.986110926 CET5002555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.986239910 CET500245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.986239910 CET500245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.986341000 CET5002555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:20.986341000 CET5002555555192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.100472927 CET56555002695.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.100599051 CET500265655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.101567030 CET500265655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.101833105 CET500265655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.106332064 CET565150024111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.106446981 CET565150024111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.106453896 CET5555550025111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.106458902 CET5555550025111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.221662045 CET56555002695.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.221960068 CET56555002695.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.221976042 CET56555002695.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.274818897 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:21.323239088 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:22.289858103 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:22.338865995 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:22.823272943 CET56555002695.213.205.83192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:22.870127916 CET500265655192.168.2.595.213.205.83
                                                                                                                                                                                                                      Dec 3, 2024 08:49:23.305179119 CET8049803111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:23.354521036 CET4980380192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:23.611970901 CET565150024111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:23.612143993 CET500245651192.168.2.5111.90.147.125
                                                                                                                                                                                                                      Dec 3, 2024 08:49:23.618627071 CET5555550025111.90.147.125192.168.2.5
                                                                                                                                                                                                                      Dec 3, 2024 08:49:23.618695974 CET5002555555192.168.2.5111.90.147.125

                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                      Dec 3, 2024 08:47:41.377574921 CET5337853192.168.2.51.1.1.1
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.068829060 CET53533781.1.1.1192.168.2.5

                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                      Dec 3, 2024 08:47:41.377574921 CET192.168.2.51.1.1.10x563Standard query (0)id72.internetid.ruA (IP address)IN (0x0001)false

                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                      Dec 3, 2024 08:47:27.076615095 CET1.1.1.1192.168.2.50x292dNo error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.867738962 CET1.1.1.1192.168.2.50xb621No error (0)prod.globalsign.map.fastly.net151.101.130.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.867738962 CET1.1.1.1192.168.2.50xb621No error (0)prod.globalsign.map.fastly.net151.101.66.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.867738962 CET1.1.1.1192.168.2.50xb621No error (0)prod.globalsign.map.fastly.net151.101.194.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.867738962 CET1.1.1.1192.168.2.50xb621No error (0)prod.globalsign.map.fastly.net151.101.2.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.068829060 CET1.1.1.1192.168.2.50x563No error (0)id72.internetid.rumain.internetid.ruCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                      Dec 3, 2024 08:47:42.068829060 CET1.1.1.1192.168.2.50x563No error (0)main.internetid.ru95.213.205.83A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.546601057 CET1.1.1.1192.168.2.50x9e68No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 3, 2024 08:48:22.546601057 CET1.1.1.1192.168.2.50x9e68No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                                                                                                                                                      HTTP Packets

                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                      0192.168.2.549803111.90.147.125807864C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668247938 CET6OUTData Raw: 00 00 00 07
                                                                                                                                                                                                                      Data Ascii:
                                                                                                                                                                                                                      Dec 3, 2024 08:47:36.668265104 CET6OUTData Raw: 00 00 00 03
                                                                                                                                                                                                                      Data Ascii:
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.232934952 CET4INData Raw: 00 01 12 7e
                                                                                                                                                                                                                      Data Ascii: ~
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233238935 CET6OUTData Raw: 00 01 12 7e
                                                                                                                                                                                                                      Data Ascii: ~
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233262062 CET6OUTData Raw: 00 00 00 01
                                                                                                                                                                                                                      Data Ascii:
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233272076 CET6OUTData Raw: 2d 2d 0d 0a
                                                                                                                                                                                                                      Data Ascii: --
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233292103 CET6OUTData Raw: 00 00 00 2e
                                                                                                                                                                                                                      Data Ascii: .
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.233328104 CET46OUTData Raw: 22 00 43 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 20 00 6e 00 61 00 6d 00 65 00 3a 00 20 00 33 00 30 00 31 00 33 00 38 00 39 00 22 00
                                                                                                                                                                                                                      Data Ascii: "Computer name: 301389"
                                                                                                                                                                                                                      Dec 3, 2024 08:47:38.788727999 CET4INData Raw: 00 00 00 00
                                                                                                                                                                                                                      Data Ascii:
                                                                                                                                                                                                                      Dec 3, 2024 08:47:39.789566040 CET4INData Raw: 00 00 00 00
                                                                                                                                                                                                                      Data Ascii:


                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                      Start time:02:47:04
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\442.docx.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\442.docx.exe"
                                                                                                                                                                                                                      Imagebase:0x7ff7c99a0000
                                                                                                                                                                                                                      File size:25'141'051 bytes
                                                                                                                                                                                                                      MD5 hash:FB8117B1A3F0924100FBC209DBBB1BB1
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                      Start time:02:47:06
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
                                                                                                                                                                                                                      Imagebase:0x7ff659560000
                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                      Start time:02:47:06
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                      Imagebase:0x7ff659560000
                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                      Start time:02:47:07
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
                                                                                                                                                                                                                      Imagebase:0xb60000
                                                                                                                                                                                                                      File size:1'620'872 bytes
                                                                                                                                                                                                                      MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                      Start time:02:47:08
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 684489E62C864DF5C283E9DB67C8FC1A
                                                                                                                                                                                                                      Imagebase:0x600000
                                                                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                      Start time:02:47:10
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                      Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                      Start time:02:47:14
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                      Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                      Start time:02:47:18
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
                                                                                                                                                                                                                      Imagebase:0xc70000
                                                                                                                                                                                                                      File size:11'132'168 bytes
                                                                                                                                                                                                                      MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security
                                                                                                                                                                                                                      • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                      • Detection: 13%, ReversingLabs
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                                      Start time:02:47:22
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                                                                                                                                                                                                                      Imagebase:0xb10000
                                                                                                                                                                                                                      File size:21'764'872 bytes
                                                                                                                                                                                                                      MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security
                                                                                                                                                                                                                      • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                      • Detection: 12%, ReversingLabs
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                      Start time:02:47:28
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                                                                                                                                                                                                                      Imagebase:0xb10000
                                                                                                                                                                                                                      File size:21'764'872 bytes
                                                                                                                                                                                                                      MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                      Start time:02:47:30
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                                                                                                                                                                                                                      Imagebase:0xb10000
                                                                                                                                                                                                                      File size:21'764'872 bytes
                                                                                                                                                                                                                      MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                                      Start time:02:47:32
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
                                                                                                                                                                                                                      Imagebase:0xb10000
                                                                                                                                                                                                                      File size:21'764'872 bytes
                                                                                                                                                                                                                      MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                                                      Start time:02:47:33
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
                                                                                                                                                                                                                      Imagebase:0xb10000
                                                                                                                                                                                                                      File size:21'764'872 bytes
                                                                                                                                                                                                                      MD5 hash:D563A4D6BFCFE6884D1AC88824CB5C2A
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                                      Start time:02:47:34
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                                                                                                                                                                                                                      Imagebase:0xc70000
                                                                                                                                                                                                                      File size:11'132'168 bytes
                                                                                                                                                                                                                      MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000013.00000002.3304532933.000000000206A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000013.00000002.3304532933.0000000002046000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                                      Start time:02:47:34
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                                                                                                                                                                                                                      Imagebase:0xc70000
                                                                                                                                                                                                                      File size:11'132'168 bytes
                                                                                                                                                                                                                      MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000014.00000002.3309338966.0000000003858000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000014.00000002.3320249204.0000000005420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000014.00000002.3309338966.000000000388A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000014.00000002.3320249204.0000000005464000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:21
                                                                                                                                                                                                                      Start time:02:47:43
                                                                                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                                                                                                                                                                                                                      Imagebase:0xc70000
                                                                                                                                                                                                                      File size:11'132'168 bytes
                                                                                                                                                                                                                      MD5 hash:CB9BE257064162076EBD4869CD97E166
                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                        Execution Coverage:12.2%
                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                        Signature Coverage:26.3%
                                                                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                                                                        Total number of Limit Nodes:29
                                                                                                                                                                                                                        execution_graph 25354 7ff7c99d11cf 25355 7ff7c99d1102 25354->25355 25357 7ff7c99d1900 25355->25357 25383 7ff7c99d1558 25357->25383 25360 7ff7c99d198b 25361 7ff7c99d1868 DloadReleaseSectionWriteAccess 6 API calls 25360->25361 25362 7ff7c99d1998 RaiseException 25361->25362 25363 7ff7c99d1bb5 25362->25363 25363->25355 25364 7ff7c99d19b4 25365 7ff7c99d1a3d LoadLibraryExA 25364->25365 25366 7ff7c99d1b85 25364->25366 25368 7ff7c99d1aa9 25364->25368 25371 7ff7c99d1abd 25364->25371 25367 7ff7c99d1a54 GetLastError 25365->25367 25365->25368 25391 7ff7c99d1868 25366->25391 25372 7ff7c99d1a7e 25367->25372 25373 7ff7c99d1a69 25367->25373 25369 7ff7c99d1ab4 FreeLibrary 25368->25369 25368->25371 25369->25371 25370 7ff7c99d1b1b GetProcAddress 25370->25366 25376 7ff7c99d1b30 GetLastError 25370->25376 25371->25366 25371->25370 25375 7ff7c99d1868 DloadReleaseSectionWriteAccess 6 API calls 25372->25375 25373->25368 25373->25372 25377 7ff7c99d1a8b RaiseException 25375->25377 25378 7ff7c99d1b45 25376->25378 25377->25363 25378->25366 25379 7ff7c99d1868 DloadReleaseSectionWriteAccess 6 API calls 25378->25379 25380 7ff7c99d1b67 RaiseException 25379->25380 25381 7ff7c99d1558 _com_raise_error 6 API calls 25380->25381 25382 7ff7c99d1b81 25381->25382 25382->25366 25384 7ff7c99d156e 25383->25384 25390 7ff7c99d15d3 25383->25390 25399 7ff7c99d1604 25384->25399 25387 7ff7c99d15ce 25388 7ff7c99d1604 DloadReleaseSectionWriteAccess 3 API calls 25387->25388 25388->25390 25390->25360 25390->25364 25392 7ff7c99d1878 25391->25392 25398 7ff7c99d18d1 25391->25398 25393 7ff7c99d1604 DloadReleaseSectionWriteAccess 3 API calls 25392->25393 25394 7ff7c99d187d 25393->25394 25395 7ff7c99d18cc 25394->25395 25396 7ff7c99d17d8 DloadProtectSection 3 API calls 25394->25396 25397 7ff7c99d1604 DloadReleaseSectionWriteAccess 3 API calls 25395->25397 25396->25395 25397->25398 25398->25363 25400 7ff7c99d1573 25399->25400 25401 7ff7c99d161f 25399->25401 25400->25387 25406 7ff7c99d17d8 25400->25406 25401->25400 25402 7ff7c99d1624 GetModuleHandleW 25401->25402 25403 7ff7c99d163e GetProcAddress 25402->25403 25404 7ff7c99d1639 25402->25404 25403->25404 25405 7ff7c99d1653 GetProcAddress 25403->25405 25404->25400 25405->25404 25407 7ff7c99d17fa DloadProtectSection 25406->25407 25408 7ff7c99d183a VirtualProtect 25407->25408 25409 7ff7c99d1802 25407->25409 25411 7ff7c99d16a4 VirtualQuery GetSystemInfo 25407->25411 25408->25409 25409->25387 25411->25408 25412 7ff7c99d20f0 25413 7ff7c99d2106 _com_error::_com_error 25412->25413 25418 7ff7c99d4078 25413->25418 25415 7ff7c99d2117 25416 7ff7c99d1900 _com_raise_error 14 API calls 25415->25416 25417 7ff7c99d2163 25416->25417 25419 7ff7c99d40b4 RtlPcToFileHeader 25418->25419 25420 7ff7c99d4097 25418->25420 25421 7ff7c99d40db RaiseException 25419->25421 25422 7ff7c99d40cc 25419->25422 25420->25419 25421->25415 25422->25421 25423 7ff7c99d03e0 25424 7ff7c99d041f 25423->25424 25425 7ff7c99d0497 25423->25425 25427 7ff7c99baae0 48 API calls 25424->25427 25448 7ff7c99baae0 25425->25448 25429 7ff7c99d0433 25427->25429 25463 7ff7c99bda98 25429->25463 25430 7ff7c99bda98 48 API calls 25434 7ff7c99d0442 BuildCatchObjectHelperInternal 25430->25434 25433 7ff7c99d0541 25460 7ff7c99a250c 25433->25460 25435 7ff7c99d05c6 25434->25435 25437 7ff7c99d05cc 25434->25437 25455 7ff7c99a1fa0 25434->25455 25466 7ff7c99d7904 25435->25466 25439 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25437->25439 25441 7ff7c99d05d2 25439->25441 25449 7ff7c99baaf3 25448->25449 25471 7ff7c99b9774 25449->25471 25452 7ff7c99bab86 25452->25430 25453 7ff7c99bab58 LoadStringW 25453->25452 25454 7ff7c99bab71 LoadStringW 25453->25454 25454->25452 25456 7ff7c99a1fb3 25455->25456 25457 7ff7c99a1fdc 25455->25457 25456->25457 25458 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25456->25458 25457->25433 25459 7ff7c99a2000 25458->25459 25461 7ff7c99a2513 25460->25461 25462 7ff7c99a2516 SetDlgItemTextW 25460->25462 25461->25462 25508 7ff7c99bd874 25463->25508 25601 7ff7c99d783c 31 API calls 2 library calls 25466->25601 25468 7ff7c99d791d 25602 7ff7c99d7934 16 API calls abort 25468->25602 25478 7ff7c99b9638 25471->25478 25474 7ff7c99b97d9 25488 7ff7c99d2320 25474->25488 25479 7ff7c99b9692 25478->25479 25487 7ff7c99b9730 25478->25487 25480 7ff7c99b96c0 25479->25480 25501 7ff7c99c0f68 WideCharToMultiByte 25479->25501 25481 7ff7c99b96ef 25480->25481 25503 7ff7c99baa88 45 API calls _snwprintf 25480->25503 25504 7ff7c99da270 31 API calls 2 library calls 25481->25504 25482 7ff7c99d2320 _handle_error 8 API calls 25484 7ff7c99b9764 25482->25484 25484->25474 25497 7ff7c99b9800 25484->25497 25487->25482 25489 7ff7c99d2329 25488->25489 25490 7ff7c99b97f2 25489->25490 25491 7ff7c99d2550 IsProcessorFeaturePresent 25489->25491 25490->25452 25490->25453 25492 7ff7c99d2568 25491->25492 25505 7ff7c99d2744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 25492->25505 25494 7ff7c99d257b 25506 7ff7c99d2510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25494->25506 25498 7ff7c99b9840 25497->25498 25500 7ff7c99b9869 25497->25500 25507 7ff7c99da270 31 API calls 2 library calls 25498->25507 25500->25474 25502 7ff7c99c0faa 25501->25502 25502->25480 25503->25481 25504->25487 25505->25494 25507->25500 25524 7ff7c99bd4d0 25508->25524 25513 7ff7c99bd8e5 _snwprintf 25518 7ff7c99bd974 25513->25518 25538 7ff7c99d9ef0 25513->25538 25565 7ff7c99a9d78 33 API calls 25513->25565 25515 7ff7c99bda17 25516 7ff7c99d2320 _handle_error 8 API calls 25515->25516 25517 7ff7c99bda2b 25516->25517 25517->25434 25521 7ff7c99bd9a3 25518->25521 25566 7ff7c99a9d78 33 API calls 25518->25566 25519 7ff7c99bda3f 25520 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25519->25520 25522 7ff7c99bda44 25520->25522 25521->25515 25521->25519 25525 7ff7c99bd665 25524->25525 25527 7ff7c99bd502 25524->25527 25528 7ff7c99bcb80 25525->25528 25526 7ff7c99a1744 33 API calls 25526->25527 25527->25525 25527->25526 25529 7ff7c99bcc80 25528->25529 25530 7ff7c99bcbb6 25528->25530 25577 7ff7c99a2004 33 API calls std::_Xinvalid_argument 25529->25577 25533 7ff7c99bcc20 25530->25533 25534 7ff7c99bcc7b 25530->25534 25536 7ff7c99bcbc6 25530->25536 25533->25536 25567 7ff7c99d21d0 25533->25567 25576 7ff7c99a1f80 33 API calls 3 library calls 25534->25576 25536->25513 25539 7ff7c99d9f36 25538->25539 25540 7ff7c99d9f4e 25538->25540 25589 7ff7c99dd69c 15 API calls abort 25539->25589 25540->25539 25542 7ff7c99d9f58 25540->25542 25591 7ff7c99d7ef0 35 API calls 2 library calls 25542->25591 25544 7ff7c99d9f3b 25590 7ff7c99d78e4 31 API calls _invalid_parameter_noinfo_noreturn 25544->25590 25546 7ff7c99d9f69 __scrt_get_show_window_mode 25592 7ff7c99d7e70 15 API calls _set_fmode 25546->25592 25547 7ff7c99d2320 _handle_error 8 API calls 25548 7ff7c99da10b 25547->25548 25548->25513 25550 7ff7c99d9fd4 25593 7ff7c99d82f8 46 API calls 3 library calls 25550->25593 25552 7ff7c99d9fdd 25553 7ff7c99da014 25552->25553 25554 7ff7c99d9fe5 25552->25554 25556 7ff7c99da06c 25553->25556 25557 7ff7c99da023 25553->25557 25558 7ff7c99da092 25553->25558 25561 7ff7c99da01a 25553->25561 25594 7ff7c99dd90c 25554->25594 25562 7ff7c99dd90c __free_lconv_mon 15 API calls 25556->25562 25560 7ff7c99dd90c __free_lconv_mon 15 API calls 25557->25560 25558->25556 25559 7ff7c99da09c 25558->25559 25563 7ff7c99dd90c __free_lconv_mon 15 API calls 25559->25563 25564 7ff7c99d9f46 25560->25564 25561->25556 25561->25557 25562->25564 25563->25564 25564->25547 25565->25513 25566->25521 25570 7ff7c99d21db 25567->25570 25568 7ff7c99d21f4 25568->25536 25570->25568 25571 7ff7c99d21fa 25570->25571 25578 7ff7c99dbbc0 25570->25578 25572 7ff7c99d2205 25571->25572 25581 7ff7c99d2f7c RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 25571->25581 25582 7ff7c99a1f80 33 API calls 3 library calls 25572->25582 25575 7ff7c99d220b 25576->25529 25583 7ff7c99dbc00 25578->25583 25581->25572 25582->25575 25588 7ff7c99df398 EnterCriticalSection 25583->25588 25589->25544 25590->25564 25591->25546 25592->25550 25593->25552 25595 7ff7c99dd911 RtlFreeHeap 25594->25595 25599 7ff7c99dd941 __free_lconv_mon 25594->25599 25596 7ff7c99dd92c 25595->25596 25595->25599 25600 7ff7c99dd69c 15 API calls abort 25596->25600 25598 7ff7c99dd931 GetLastError 25598->25599 25599->25564 25600->25598 25601->25468 25603 7ff7c99cb190 25946 7ff7c99a255c 25603->25946 25605 7ff7c99cb1db 25606 7ff7c99cbe93 25605->25606 25607 7ff7c99cb1ef 25605->25607 25757 7ff7c99cb20c 25605->25757 26216 7ff7c99cf390 25606->26216 25610 7ff7c99cb1ff 25607->25610 25611 7ff7c99cb2db 25607->25611 25607->25757 25615 7ff7c99cb207 25610->25615 25616 7ff7c99cb2a9 25610->25616 25618 7ff7c99cb391 25611->25618 25619 7ff7c99cb2f5 25611->25619 25612 7ff7c99d2320 _handle_error 8 API calls 25617 7ff7c99cc350 25612->25617 25613 7ff7c99cbec9 25621 7ff7c99cbed5 SendDlgItemMessageW 25613->25621 25622 7ff7c99cbef0 GetDlgItem SendMessageW 25613->25622 25614 7ff7c99cbeba SendMessageW 25614->25613 25627 7ff7c99baae0 48 API calls 25615->25627 25615->25757 25623 7ff7c99cb2cb EndDialog 25616->25623 25616->25757 25954 7ff7c99a22bc GetDlgItem 25618->25954 25624 7ff7c99baae0 48 API calls 25619->25624 25621->25622 26235 7ff7c99b62dc GetCurrentDirectoryW 25622->26235 25623->25757 25628 7ff7c99cb313 SetDlgItemTextW 25624->25628 25631 7ff7c99cb236 25627->25631 25634 7ff7c99cb326 25628->25634 25629 7ff7c99cb3b1 EndDialog 25645 7ff7c99cb3da 25629->25645 25630 7ff7c99cbf47 GetDlgItem 26245 7ff7c99a2520 25630->26245 26249 7ff7c99a1ec4 34 API calls _handle_error 25631->26249 25633 7ff7c99cb408 GetDlgItem 25638 7ff7c99cb44f SetFocus 25633->25638 25639 7ff7c99cb422 SendMessageW SendMessageW 25633->25639 25642 7ff7c99cb340 GetMessageW 25634->25642 25634->25757 25637 7ff7c99cb246 25647 7ff7c99a250c SetDlgItemTextW 25637->25647 25649 7ff7c99cb25c 25637->25649 25643 7ff7c99cb465 25638->25643 25644 7ff7c99cb4f2 25638->25644 25639->25638 25650 7ff7c99cb35e IsDialogMessageW 25642->25650 25642->25757 25651 7ff7c99baae0 48 API calls 25643->25651 25968 7ff7c99a8d04 25644->25968 25653 7ff7c99a1fa0 31 API calls 25645->25653 25647->25649 25661 7ff7c99cc363 25649->25661 25649->25757 25650->25634 25656 7ff7c99cb373 TranslateMessage DispatchMessageW 25650->25656 25657 7ff7c99cb46f 25651->25657 25652 7ff7c99cbcc5 25658 7ff7c99baae0 48 API calls 25652->25658 25653->25757 25655 7ff7c99cb52c 25978 7ff7c99cef80 25655->25978 25656->25634 26250 7ff7c99a129c 25657->26250 25662 7ff7c99cbcd6 SetDlgItemTextW 25658->25662 25666 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25661->25666 25665 7ff7c99baae0 48 API calls 25662->25665 25671 7ff7c99cbd08 25665->25671 25672 7ff7c99cc368 25666->25672 25669 7ff7c99baae0 48 API calls 25674 7ff7c99cb555 25669->25674 25683 7ff7c99a129c 33 API calls 25671->25683 25676 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25672->25676 25679 7ff7c99bda98 48 API calls 25674->25679 25675 7ff7c99cb498 25680 7ff7c99cf0a4 24 API calls 25675->25680 25684 7ff7c99cc36e 25676->25684 25688 7ff7c99cb568 25679->25688 25689 7ff7c99cb4a5 25680->25689 25716 7ff7c99cbd31 25683->25716 25695 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25684->25695 25992 7ff7c99cf0a4 25688->25992 25689->25672 25700 7ff7c99cb4e8 25689->25700 25694 7ff7c99cbdda 25701 7ff7c99baae0 48 API calls 25694->25701 25702 7ff7c99cc374 25695->25702 25709 7ff7c99cb5ec 25700->25709 26260 7ff7c99cfa80 33 API calls 2 library calls 25700->26260 25711 7ff7c99cbde4 25701->25711 25722 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25702->25722 25706 7ff7c99a1fa0 31 API calls 25714 7ff7c99cb586 25706->25714 25719 7ff7c99cb61a 25709->25719 26261 7ff7c99b32a8 25709->26261 25732 7ff7c99a129c 33 API calls 25711->25732 25714->25684 25714->25700 25716->25694 25727 7ff7c99a129c 33 API calls 25716->25727 26006 7ff7c99b2f58 25719->26006 25726 7ff7c99cc37a 25722->25726 25737 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25726->25737 25733 7ff7c99cbd7f 25727->25733 25730 7ff7c99cb634 GetLastError 25731 7ff7c99cb64c 25730->25731 26018 7ff7c99b7fc4 25731->26018 25736 7ff7c99cbe0d 25732->25736 25739 7ff7c99baae0 48 API calls 25733->25739 25753 7ff7c99a129c 33 API calls 25736->25753 25743 7ff7c99cc380 25737->25743 25744 7ff7c99cbd8a 25739->25744 25741 7ff7c99cb60e 26264 7ff7c99c9d90 12 API calls _handle_error 25741->26264 25754 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25743->25754 25749 7ff7c99a1150 33 API calls 25744->25749 25747 7ff7c99cb65e 25751 7ff7c99cb674 25747->25751 25752 7ff7c99cb665 GetLastError 25747->25752 25755 7ff7c99cbda2 25749->25755 25758 7ff7c99cb71c 25751->25758 25762 7ff7c99cb72b 25751->25762 25763 7ff7c99cb68b GetTickCount 25751->25763 25752->25751 25759 7ff7c99cbe4e 25753->25759 25760 7ff7c99cc386 25754->25760 26294 7ff7c99a2034 25755->26294 25757->25612 25758->25762 25780 7ff7c99cbb79 25758->25780 25772 7ff7c99a1fa0 31 API calls 25759->25772 25764 7ff7c99a255c 61 API calls 25760->25764 25768 7ff7c99cba50 25762->25768 26265 7ff7c99b6454 25762->26265 26021 7ff7c99a4228 25763->26021 25767 7ff7c99cc3e4 25764->25767 25773 7ff7c99cc3e8 25767->25773 25783 7ff7c99cc489 GetDlgItem SetFocus 25767->25783 25810 7ff7c99cc3fd 25767->25810 25768->25629 26289 7ff7c99abd0c 33 API calls 25768->26289 25769 7ff7c99cbdbe 25770 7ff7c99a1fa0 31 API calls 25769->25770 25778 7ff7c99cbdcc 25770->25778 25781 7ff7c99cbe78 25772->25781 25791 7ff7c99d2320 _handle_error 8 API calls 25773->25791 25777 7ff7c99cb74e 26277 7ff7c99bb914 102 API calls 25777->26277 25786 7ff7c99a1fa0 31 API calls 25778->25786 25794 7ff7c99baae0 48 API calls 25780->25794 25789 7ff7c99a1fa0 31 API calls 25781->25789 25782 7ff7c99cba75 26290 7ff7c99a1150 25782->26290 25787 7ff7c99cc4ba 25783->25787 25786->25694 25799 7ff7c99a129c 33 API calls 25787->25799 25788 7ff7c99cb6ba 25793 7ff7c99a1fa0 31 API calls 25788->25793 25795 7ff7c99cbe83 25789->25795 25797 7ff7c99cca97 25791->25797 25792 7ff7c99cb768 25798 7ff7c99bda98 48 API calls 25792->25798 25800 7ff7c99cb6c8 25793->25800 25801 7ff7c99cbba7 SetDlgItemTextW 25794->25801 25802 7ff7c99a1fa0 31 API calls 25795->25802 25796 7ff7c99cba8a 25803 7ff7c99baae0 48 API calls 25796->25803 25806 7ff7c99cb7aa GetCommandLineW 25798->25806 25807 7ff7c99cc4cc 25799->25807 26031 7ff7c99b2134 25800->26031 25808 7ff7c99a2534 25801->25808 25802->25645 25809 7ff7c99cba97 25803->25809 25804 7ff7c99cc434 SendDlgItemMessageW 25811 7ff7c99cc454 25804->25811 25812 7ff7c99cc45d EndDialog 25804->25812 25813 7ff7c99cb84f 25806->25813 25814 7ff7c99cb869 25806->25814 26298 7ff7c99b80d8 33 API calls 25807->26298 25816 7ff7c99cbbc5 SetDlgItemTextW GetDlgItem 25808->25816 25817 7ff7c99a1150 33 API calls 25809->25817 25810->25773 25810->25804 25811->25812 25812->25773 26278 7ff7c99a20b0 25813->26278 26282 7ff7c99cab54 33 API calls _handle_error 25814->26282 25821 7ff7c99cbc13 25816->25821 25822 7ff7c99cbbf0 GetWindowLongPtrW SetWindowLongPtrW 25816->25822 25823 7ff7c99cbaaa 25817->25823 25818 7ff7c99cc4e0 25824 7ff7c99a250c SetDlgItemTextW 25818->25824 26051 7ff7c99cce88 25821->26051 25822->25821 25828 7ff7c99a1fa0 31 API calls 25823->25828 25830 7ff7c99cc4f4 25824->25830 25825 7ff7c99cb87a 26283 7ff7c99cab54 33 API calls _handle_error 25825->26283 25835 7ff7c99cbab5 25828->25835 25840 7ff7c99cc526 SendDlgItemMessageW FindFirstFileW 25830->25840 25832 7ff7c99cb704 26047 7ff7c99b204c 25832->26047 25833 7ff7c99cb6f5 GetLastError 25833->25832 25839 7ff7c99a1fa0 31 API calls 25835->25839 25836 7ff7c99cb88b 26284 7ff7c99cab54 33 API calls _handle_error 25836->26284 25838 7ff7c99cce88 160 API calls 25843 7ff7c99cbc3c 25838->25843 25844 7ff7c99cbac3 25839->25844 25845 7ff7c99cc57b 25840->25845 25938 7ff7c99cca04 25840->25938 26201 7ff7c99cf974 25843->26201 25854 7ff7c99baae0 48 API calls 25844->25854 25855 7ff7c99baae0 48 API calls 25845->25855 25846 7ff7c99cb89c 26285 7ff7c99bb9b4 102 API calls 25846->26285 25851 7ff7c99cb8b3 26286 7ff7c99cfbdc 33 API calls 25851->26286 25852 7ff7c99cca81 25852->25773 25853 7ff7c99cce88 160 API calls 25867 7ff7c99cbc6a 25853->25867 25858 7ff7c99cbadb 25854->25858 25860 7ff7c99cc59e 25855->25860 25857 7ff7c99ccaa9 25862 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25857->25862 25868 7ff7c99a129c 33 API calls 25858->25868 25859 7ff7c99cbc96 26215 7ff7c99a2298 GetDlgItem EnableWindow 25859->26215 25872 7ff7c99a129c 33 API calls 25860->25872 25861 7ff7c99cb8d2 CreateFileMappingW 25864 7ff7c99cb953 ShellExecuteExW 25861->25864 25865 7ff7c99cb911 MapViewOfFile 25861->25865 25866 7ff7c99ccaae 25862->25866 25888 7ff7c99cb974 25864->25888 26287 7ff7c99d3640 25865->26287 25873 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25866->25873 25867->25859 25871 7ff7c99cce88 160 API calls 25867->25871 25879 7ff7c99cbb04 25868->25879 25869 7ff7c99cb3f5 25869->25629 25869->25652 25871->25859 25875 7ff7c99cc5cd 25872->25875 25874 7ff7c99ccab4 25873->25874 25877 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25874->25877 25876 7ff7c99a1150 33 API calls 25875->25876 25880 7ff7c99cc5e8 25876->25880 25882 7ff7c99ccaba 25877->25882 25878 7ff7c99cbb5a 25883 7ff7c99a1fa0 31 API calls 25878->25883 25879->25726 25879->25878 26299 7ff7c99ae164 33 API calls 2 library calls 25880->26299 25881 7ff7c99cb9c3 25885 7ff7c99cb9ef 25881->25885 25886 7ff7c99cb9dc UnmapViewOfFile CloseHandle 25881->25886 25890 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25882->25890 25883->25629 25885->25702 25889 7ff7c99cba25 25885->25889 25886->25885 25887 7ff7c99cc5ff 25891 7ff7c99a1fa0 31 API calls 25887->25891 25888->25881 25895 7ff7c99cb9b1 Sleep 25888->25895 25893 7ff7c99a1fa0 31 API calls 25889->25893 25892 7ff7c99ccac0 25890->25892 25894 7ff7c99cc60c 25891->25894 25898 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25892->25898 25896 7ff7c99cba42 25893->25896 25894->25866 25897 7ff7c99a1fa0 31 API calls 25894->25897 25895->25881 25895->25888 25899 7ff7c99a1fa0 31 API calls 25896->25899 25900 7ff7c99cc673 25897->25900 25901 7ff7c99ccac6 25898->25901 25899->25768 25902 7ff7c99a250c SetDlgItemTextW 25900->25902 25904 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25901->25904 25903 7ff7c99cc687 FindClose 25902->25903 25905 7ff7c99cc6a3 25903->25905 25906 7ff7c99cc797 SendDlgItemMessageW 25903->25906 25907 7ff7c99ccacc 25904->25907 26300 7ff7c99ca2cc 10 API calls _handle_error 25905->26300 25909 7ff7c99cc7cb 25906->25909 25912 7ff7c99baae0 48 API calls 25909->25912 25910 7ff7c99cc6c6 25911 7ff7c99baae0 48 API calls 25910->25911 25913 7ff7c99cc6cf 25911->25913 25914 7ff7c99cc7d8 25912->25914 25915 7ff7c99bda98 48 API calls 25913->25915 25916 7ff7c99a129c 33 API calls 25914->25916 25920 7ff7c99cc6ec BuildCatchObjectHelperInternal 25915->25920 25917 7ff7c99cc807 25916->25917 25919 7ff7c99a1150 33 API calls 25917->25919 25918 7ff7c99a1fa0 31 API calls 25921 7ff7c99cc783 25918->25921 25922 7ff7c99cc822 25919->25922 25920->25874 25920->25918 25923 7ff7c99a250c SetDlgItemTextW 25921->25923 26301 7ff7c99ae164 33 API calls 2 library calls 25922->26301 25923->25906 25925 7ff7c99cc839 25926 7ff7c99a1fa0 31 API calls 25925->25926 25927 7ff7c99cc845 BuildCatchObjectHelperInternal 25926->25927 25928 7ff7c99a1fa0 31 API calls 25927->25928 25929 7ff7c99cc87f 25928->25929 25930 7ff7c99a1fa0 31 API calls 25929->25930 25931 7ff7c99cc88c 25930->25931 25931->25882 25932 7ff7c99a1fa0 31 API calls 25931->25932 25933 7ff7c99cc8f3 25932->25933 25934 7ff7c99a250c SetDlgItemTextW 25933->25934 25935 7ff7c99cc907 25934->25935 25935->25938 26302 7ff7c99ca2cc 10 API calls _handle_error 25935->26302 25937 7ff7c99cc932 25939 7ff7c99baae0 48 API calls 25937->25939 25938->25773 25938->25852 25938->25857 25938->25901 25940 7ff7c99cc93c 25939->25940 25941 7ff7c99bda98 48 API calls 25940->25941 25943 7ff7c99cc959 BuildCatchObjectHelperInternal 25941->25943 25942 7ff7c99a1fa0 31 API calls 25944 7ff7c99cc9f0 25942->25944 25943->25892 25943->25942 25945 7ff7c99a250c SetDlgItemTextW 25944->25945 25945->25938 25947 7ff7c99a256a 25946->25947 25948 7ff7c99a25d0 25946->25948 25947->25948 26303 7ff7c99ba4ac 25947->26303 25948->25605 25950 7ff7c99a258f 25950->25948 25951 7ff7c99a25a4 GetDlgItem 25950->25951 25951->25948 25952 7ff7c99a25b7 25951->25952 25952->25948 25953 7ff7c99a25be SetWindowTextW 25952->25953 25953->25948 25955 7ff7c99a2334 25954->25955 25956 7ff7c99a22fc 25954->25956 26356 7ff7c99a23f8 GetWindowTextLengthW 25955->26356 25958 7ff7c99a129c 33 API calls 25956->25958 25959 7ff7c99a232a BuildCatchObjectHelperInternal 25958->25959 25960 7ff7c99a1fa0 31 API calls 25959->25960 25963 7ff7c99a2389 25959->25963 25960->25963 25961 7ff7c99a23c8 25962 7ff7c99d2320 _handle_error 8 API calls 25961->25962 25964 7ff7c99a23dd 25962->25964 25963->25961 25965 7ff7c99a23f0 25963->25965 25964->25629 25964->25633 25964->25869 25966 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 25965->25966 25967 7ff7c99a23f5 25966->25967 25969 7ff7c99a8d34 25968->25969 25976 7ff7c99a8de8 25968->25976 25970 7ff7c99a8d42 BuildCatchObjectHelperInternal 25969->25970 25973 7ff7c99a8de3 25969->25973 25975 7ff7c99a8d91 25969->25975 25970->25655 26380 7ff7c99a1f80 33 API calls 3 library calls 25973->26380 25975->25970 25977 7ff7c99d21d0 33 API calls 25975->25977 26381 7ff7c99a2004 33 API calls std::_Xinvalid_argument 25976->26381 25977->25970 25982 7ff7c99cefb0 25978->25982 25979 7ff7c99cefd7 25980 7ff7c99d2320 _handle_error 8 API calls 25979->25980 25981 7ff7c99cb537 25980->25981 25981->25669 25982->25979 26382 7ff7c99abd0c 33 API calls 25982->26382 25984 7ff7c99cf02a 25985 7ff7c99a1150 33 API calls 25984->25985 25986 7ff7c99cf03f 25985->25986 25988 7ff7c99a1fa0 31 API calls 25986->25988 25990 7ff7c99cf04f BuildCatchObjectHelperInternal 25986->25990 25987 7ff7c99a1fa0 31 API calls 25989 7ff7c99cf076 25987->25989 25988->25990 25991 7ff7c99a1fa0 31 API calls 25989->25991 25990->25987 25991->25979 26383 7ff7c99cae1c PeekMessageW 25992->26383 25995 7ff7c99cf143 SendMessageW SendMessageW 25997 7ff7c99cf1a4 SendMessageW 25995->25997 25998 7ff7c99cf189 25995->25998 25996 7ff7c99cf0f5 25999 7ff7c99cf101 ShowWindow SendMessageW SendMessageW 25996->25999 26000 7ff7c99cf1c3 25997->26000 26001 7ff7c99cf1c6 SendMessageW SendMessageW 25997->26001 25998->25997 25999->25995 26000->26001 26002 7ff7c99cf1f3 SendMessageW 26001->26002 26003 7ff7c99cf218 SendMessageW 26001->26003 26002->26003 26004 7ff7c99d2320 _handle_error 8 API calls 26003->26004 26005 7ff7c99cb578 26004->26005 26005->25706 26007 7ff7c99b309d 26006->26007 26014 7ff7c99b2f8e 26006->26014 26008 7ff7c99d2320 _handle_error 8 API calls 26007->26008 26009 7ff7c99b30b3 26008->26009 26009->25730 26009->25731 26010 7ff7c99b3077 26010->26007 26011 7ff7c99b3684 56 API calls 26010->26011 26011->26007 26012 7ff7c99a129c 33 API calls 26012->26014 26014->26010 26014->26012 26015 7ff7c99b30c8 26014->26015 26388 7ff7c99b3684 26014->26388 26016 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26015->26016 26017 7ff7c99b30cd 26016->26017 26019 7ff7c99b7fd2 SetCurrentDirectoryW 26018->26019 26020 7ff7c99b7fcf 26018->26020 26019->25747 26020->26019 26022 7ff7c99a4255 26021->26022 26023 7ff7c99a426a 26022->26023 26024 7ff7c99a129c 33 API calls 26022->26024 26025 7ff7c99d2320 _handle_error 8 API calls 26023->26025 26024->26023 26026 7ff7c99a42a1 26025->26026 26027 7ff7c99a3c84 26026->26027 26028 7ff7c99a3cab 26027->26028 26536 7ff7c99a710c 26028->26536 26030 7ff7c99a3cbb BuildCatchObjectHelperInternal 26030->25788 26034 7ff7c99b216a 26031->26034 26032 7ff7c99b219e 26035 7ff7c99b6a0c 49 API calls 26032->26035 26037 7ff7c99b227f 26032->26037 26033 7ff7c99b21b1 CreateFileW 26033->26032 26034->26032 26034->26033 26039 7ff7c99b2209 26035->26039 26036 7ff7c99b22af 26038 7ff7c99d2320 _handle_error 8 API calls 26036->26038 26037->26036 26040 7ff7c99a20b0 33 API calls 26037->26040 26041 7ff7c99b22c4 26038->26041 26042 7ff7c99b220d CreateFileW 26039->26042 26043 7ff7c99b2246 26039->26043 26040->26036 26041->25832 26041->25833 26042->26043 26043->26037 26044 7ff7c99b22d8 26043->26044 26045 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26044->26045 26046 7ff7c99b22dd 26045->26046 26048 7ff7c99b2072 26047->26048 26049 7ff7c99b2066 26047->26049 26049->26048 26548 7ff7c99b20d0 26049->26548 26555 7ff7c99caa08 26051->26555 26053 7ff7c99cd1ee 26054 7ff7c99a1fa0 31 API calls 26053->26054 26055 7ff7c99cd1f7 26054->26055 26056 7ff7c99d2320 _handle_error 8 API calls 26055->26056 26057 7ff7c99cbc2b 26056->26057 26057->25838 26060 7ff7c99cef00 26688 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 26060->26688 26061 7ff7c99bd22c 33 API calls 26196 7ff7c99ccf03 BuildCatchObjectHelperInternal 26061->26196 26063 7ff7c99cef06 26068 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26063->26068 26065 7ff7c99ceeee 26066 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26065->26066 26067 7ff7c99ceef4 26066->26067 26686 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 26067->26686 26070 7ff7c99cef0c 26068->26070 26073 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26070->26073 26072 7ff7c99ceefa 26687 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 26072->26687 26074 7ff7c99cef12 26073->26074 26079 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26074->26079 26075 7ff7c99cee4a 26076 7ff7c99ceed2 26075->26076 26080 7ff7c99a20b0 33 API calls 26075->26080 26684 7ff7c99a1f80 33 API calls 3 library calls 26076->26684 26077 7ff7c99ceee8 26685 7ff7c99a2004 33 API calls std::_Xinvalid_argument 26077->26685 26078 7ff7c99a13a4 33 API calls 26081 7ff7c99cdc3a GetTempPathW 26078->26081 26082 7ff7c99cef18 26079->26082 26085 7ff7c99cee77 26080->26085 26081->26196 26089 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26082->26089 26083 7ff7c99b62dc 35 API calls 26083->26196 26683 7ff7c99cabe8 33 API calls 3 library calls 26085->26683 26088 7ff7c99a2520 SetWindowTextW 26088->26196 26094 7ff7c99cef1e 26089->26094 26091 7ff7c99dbb8c 43 API calls 26091->26196 26093 7ff7c99cee8d 26096 7ff7c99a1fa0 31 API calls 26093->26096 26099 7ff7c99ceea4 BuildCatchObjectHelperInternal 26093->26099 26100 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26094->26100 26096->26099 26097 7ff7c99a1fa0 31 API calls 26097->26076 26098 7ff7c99ce7f3 26098->26076 26098->26077 26101 7ff7c99d21d0 33 API calls 26098->26101 26107 7ff7c99ce83b BuildCatchObjectHelperInternal 26098->26107 26099->26097 26102 7ff7c99cef24 26100->26102 26101->26107 26106 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26102->26106 26104 7ff7c99caa08 33 API calls 26104->26196 26105 7ff7c99cef6c 26691 7ff7c99a2004 33 API calls std::_Xinvalid_argument 26105->26691 26111 7ff7c99cef2a 26106->26111 26116 7ff7c99a20b0 33 API calls 26107->26116 26158 7ff7c99ceb8f 26107->26158 26109 7ff7c99a1fa0 31 API calls 26109->26075 26110 7ff7c99cef78 26693 7ff7c99a2004 33 API calls std::_Xinvalid_argument 26110->26693 26122 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26111->26122 26112 7ff7c99cef72 26692 7ff7c99a1f80 33 API calls 3 library calls 26112->26692 26114 7ff7c99a129c 33 API calls 26114->26196 26115 7ff7c99cef66 26690 7ff7c99a1f80 33 API calls 3 library calls 26115->26690 26124 7ff7c99ce963 26116->26124 26119 7ff7c99ced40 26119->26110 26119->26112 26136 7ff7c99ced3b BuildCatchObjectHelperInternal 26119->26136 26141 7ff7c99d21d0 33 API calls 26119->26141 26121 7ff7c99cec2a 26121->26105 26121->26115 26130 7ff7c99cec72 BuildCatchObjectHelperInternal 26121->26130 26121->26136 26138 7ff7c99d21d0 33 API calls 26121->26138 26128 7ff7c99cef30 26122->26128 26123 7ff7c99a2674 31 API calls 26123->26196 26131 7ff7c99cef60 26124->26131 26137 7ff7c99a129c 33 API calls 26124->26137 26127 7ff7c99ae164 33 API calls 26127->26196 26142 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26128->26142 26129 7ff7c99b3d34 51 API calls 26129->26196 26598 7ff7c99cf4e0 26130->26598 26689 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 26131->26689 26133 7ff7c99cd5e9 GetDlgItem 26139 7ff7c99a2520 SetWindowTextW 26133->26139 26136->26109 26143 7ff7c99ce9a6 26137->26143 26138->26130 26144 7ff7c99cd608 SendMessageW 26139->26144 26141->26136 26147 7ff7c99cef36 26142->26147 26679 7ff7c99bd22c 26143->26679 26144->26196 26145 7ff7c99bdc2c 33 API calls 26145->26196 26146 7ff7c99b32bc 51 API calls 26146->26196 26152 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26147->26152 26150 7ff7c99b5b60 53 API calls 26150->26196 26151 7ff7c99a1fa0 31 API calls 26151->26196 26157 7ff7c99cef3c 26152->26157 26153 7ff7c99b5aa8 33 API calls 26153->26196 26154 7ff7c99cd63c SendMessageW 26154->26196 26156 7ff7c99b3f30 54 API calls 26156->26196 26161 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26157->26161 26158->26119 26158->26121 26164 7ff7c99cef54 26158->26164 26167 7ff7c99cef5a 26158->26167 26166 7ff7c99cef42 26161->26166 26163 7ff7c99a129c 33 API calls 26188 7ff7c99ce9d1 26163->26188 26165 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26164->26165 26165->26167 26172 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26166->26172 26168 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26167->26168 26168->26131 26169 7ff7c99a4228 33 API calls 26169->26196 26170 7ff7c99a1744 33 API calls 26170->26196 26171 7ff7c99a2034 33 API calls 26171->26196 26175 7ff7c99cef48 26172->26175 26173 7ff7c99b5820 33 API calls 26173->26196 26174 7ff7c99b32a8 51 API calls 26174->26196 26176 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26175->26176 26178 7ff7c99cef4e 26176->26178 26177 7ff7c99a250c SetDlgItemTextW 26177->26196 26182 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26178->26182 26181 7ff7c99a1150 33 API calls 26181->26196 26182->26164 26183 7ff7c99c99c8 31 API calls 26183->26196 26185 7ff7c99a1fa0 31 API calls 26185->26188 26187 7ff7c99c13c4 CompareStringW 26187->26188 26188->26158 26188->26163 26188->26175 26188->26178 26188->26185 26188->26187 26191 7ff7c99bd22c 33 API calls 26188->26191 26189 7ff7c99cdf99 EndDialog 26189->26196 26191->26188 26192 7ff7c99cdb21 MoveFileW 26193 7ff7c99cdb55 MoveFileExW 26192->26193 26194 7ff7c99cdb70 26192->26194 26193->26194 26195 7ff7c99a1fa0 31 API calls 26194->26195 26194->26196 26195->26194 26196->26053 26196->26060 26196->26061 26196->26063 26196->26065 26196->26067 26196->26070 26196->26072 26196->26074 26196->26075 26196->26078 26196->26082 26196->26083 26196->26088 26196->26091 26196->26094 26196->26098 26196->26102 26196->26104 26196->26111 26196->26114 26196->26123 26196->26127 26196->26128 26196->26129 26196->26145 26196->26146 26196->26147 26196->26150 26196->26151 26196->26153 26196->26154 26196->26156 26196->26157 26196->26166 26196->26169 26196->26170 26196->26171 26196->26173 26196->26174 26196->26177 26196->26181 26196->26183 26196->26189 26196->26192 26197 7ff7c99b2f58 56 API calls 26196->26197 26198 7ff7c99a20b0 33 API calls 26196->26198 26200 7ff7c99a8d04 33 API calls 26196->26200 26559 7ff7c99c13c4 CompareStringW 26196->26559 26560 7ff7c99ca440 26196->26560 26636 7ff7c99bcfa4 35 API calls _invalid_parameter_noinfo_noreturn 26196->26636 26637 7ff7c99c95b4 33 API calls Concurrency::cancel_current_task 26196->26637 26638 7ff7c99d0684 31 API calls _invalid_parameter_noinfo_noreturn 26196->26638 26639 7ff7c99adf4c 47 API calls BuildCatchObjectHelperInternal 26196->26639 26640 7ff7c99ca834 33 API calls _invalid_parameter_noinfo_noreturn 26196->26640 26641 7ff7c99c9518 33 API calls 26196->26641 26642 7ff7c99cabe8 33 API calls 3 library calls 26196->26642 26643 7ff7c99b7368 33 API calls 2 library calls 26196->26643 26644 7ff7c99b4088 33 API calls 26196->26644 26645 7ff7c99b65b0 33 API calls 3 library calls 26196->26645 26646 7ff7c99b72cc 26196->26646 26650 7ff7c99b31bc 26196->26650 26664 7ff7c99b3ea0 FindClose 26196->26664 26665 7ff7c99c13f4 CompareStringW 26196->26665 26666 7ff7c99c9cd0 47 API calls 26196->26666 26667 7ff7c99c87d8 51 API calls 3 library calls 26196->26667 26668 7ff7c99cab54 33 API calls _handle_error 26196->26668 26669 7ff7c99b7df4 26196->26669 26677 7ff7c99b5b08 CompareStringW 26196->26677 26678 7ff7c99b7eb0 47 API calls 26196->26678 26197->26196 26198->26196 26200->26196 26202 7ff7c99cf9a3 26201->26202 26203 7ff7c99a20b0 33 API calls 26202->26203 26205 7ff7c99cf9b9 26203->26205 26204 7ff7c99cf9ee 26706 7ff7c99ae34c 26204->26706 26205->26204 26206 7ff7c99a20b0 33 API calls 26205->26206 26206->26204 26208 7ff7c99cfa4b 26726 7ff7c99ae7a8 26208->26726 26212 7ff7c99cfa61 26213 7ff7c99d2320 _handle_error 8 API calls 26212->26213 26214 7ff7c99cbc52 26213->26214 26214->25853 27828 7ff7c99c849c 26216->27828 26219 7ff7c99cf4b7 26222 7ff7c99d2320 _handle_error 8 API calls 26219->26222 26220 7ff7c99cf3c7 GetWindow 26221 7ff7c99cf3e2 26220->26221 26221->26219 26224 7ff7c99cf3ee GetClassNameW 26221->26224 26226 7ff7c99cf496 GetWindow 26221->26226 26227 7ff7c99cf417 GetWindowLongPtrW 26221->26227 26223 7ff7c99cbe9b 26222->26223 26223->25613 26223->25614 27833 7ff7c99c13c4 CompareStringW 26224->27833 26226->26219 26226->26221 26227->26226 26228 7ff7c99cf429 SendMessageW 26227->26228 26228->26226 26229 7ff7c99cf445 GetObjectW 26228->26229 27834 7ff7c99c8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26229->27834 26231 7ff7c99cf461 27835 7ff7c99c84cc 26231->27835 27839 7ff7c99c8df4 16 API calls _handle_error 26231->27839 26234 7ff7c99cf479 SendMessageW DeleteObject 26234->26226 26236 7ff7c99b6300 26235->26236 26241 7ff7c99b638d 26235->26241 26237 7ff7c99a13a4 33 API calls 26236->26237 26238 7ff7c99b631b GetCurrentDirectoryW 26237->26238 26239 7ff7c99b6341 26238->26239 26240 7ff7c99a20b0 33 API calls 26239->26240 26242 7ff7c99b634f 26240->26242 26241->25630 26242->26241 26243 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26242->26243 26244 7ff7c99b63a9 26243->26244 26246 7ff7c99a2527 26245->26246 26247 7ff7c99a252a SetWindowTextW 26245->26247 26246->26247 26248 7ff7c9a0e2e0 26247->26248 26249->25637 26251 7ff7c99a12d0 26250->26251 26252 7ff7c99a139b 26250->26252 26255 7ff7c99a1396 26251->26255 26256 7ff7c99a1338 26251->26256 26259 7ff7c99a12de BuildCatchObjectHelperInternal 26251->26259 27843 7ff7c99a2004 33 API calls std::_Xinvalid_argument 26252->27843 27842 7ff7c99a1f80 33 API calls 3 library calls 26255->27842 26258 7ff7c99d21d0 33 API calls 26256->26258 26256->26259 26258->26259 26259->25675 26260->25709 26262 7ff7c99b32bc 51 API calls 26261->26262 26263 7ff7c99b32b1 26262->26263 26263->25719 26263->25741 26264->25719 26266 7ff7c99a13a4 33 API calls 26265->26266 26267 7ff7c99b6489 26266->26267 26268 7ff7c99b648c GetModuleFileNameW 26267->26268 26271 7ff7c99b64dc 26267->26271 26269 7ff7c99b64a7 26268->26269 26270 7ff7c99b64de 26268->26270 26269->26267 26270->26271 26272 7ff7c99a129c 33 API calls 26271->26272 26273 7ff7c99b6506 26272->26273 26274 7ff7c99b653e 26273->26274 26275 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26273->26275 26274->25777 26276 7ff7c99b6560 26275->26276 26277->25792 26279 7ff7c99a20f6 26278->26279 26281 7ff7c99a20cb BuildCatchObjectHelperInternal 26278->26281 27844 7ff7c99a1474 33 API calls 3 library calls 26279->27844 26281->25814 26282->25825 26283->25836 26284->25846 26285->25851 26286->25861 26288 7ff7c99d3620 26287->26288 26288->25864 26288->26288 26289->25782 26291 7ff7c99a1177 26290->26291 26292 7ff7c99a2034 33 API calls 26291->26292 26293 7ff7c99a1185 BuildCatchObjectHelperInternal 26292->26293 26293->25796 26295 7ff7c99a2085 26294->26295 26296 7ff7c99a2059 BuildCatchObjectHelperInternal 26294->26296 27845 7ff7c99a15b8 33 API calls 3 library calls 26295->27845 26296->25769 26298->25818 26299->25887 26300->25910 26301->25925 26302->25937 26328 7ff7c99b3e28 26303->26328 26306 7ff7c99c0f68 WideCharToMultiByte 26312 7ff7c99ba519 26306->26312 26307 7ff7c99ba589 26332 7ff7c99b9408 26307->26332 26310 7ff7c99ba6f2 GetSystemMetrics GetWindow 26315 7ff7c99ba821 26310->26315 26316 7ff7c99ba71d 26310->26316 26311 7ff7c99ba603 26313 7ff7c99ba6c2 26311->26313 26314 7ff7c99ba60c GetWindowLongPtrW 26311->26314 26312->26307 26323 7ff7c99b9800 31 API calls 26312->26323 26326 7ff7c99ba56a SetDlgItemTextW 26312->26326 26347 7ff7c99b95a8 26313->26347 26318 7ff7c9a0e2c0 26314->26318 26317 7ff7c99d2320 _handle_error 8 API calls 26315->26317 26316->26315 26325 7ff7c99ba73e GetWindowRect 26316->26325 26327 7ff7c99ba800 GetWindow 26316->26327 26320 7ff7c99ba830 26317->26320 26321 7ff7c99ba6aa GetWindowRect 26318->26321 26320->25950 26321->26313 26323->26312 26324 7ff7c99ba6e5 SetWindowTextW 26324->26310 26325->26316 26326->26312 26327->26315 26327->26316 26329 7ff7c99b3e4d _snwprintf 26328->26329 26330 7ff7c99d9ef0 swprintf 46 API calls 26329->26330 26331 7ff7c99b3e69 26330->26331 26331->26306 26333 7ff7c99b95a8 47 API calls 26332->26333 26335 7ff7c99b944f 26333->26335 26334 7ff7c99d2320 _handle_error 8 API calls 26336 7ff7c99b958e GetWindowRect GetClientRect 26334->26336 26337 7ff7c99a129c 33 API calls 26335->26337 26345 7ff7c99b955a 26335->26345 26336->26310 26336->26311 26338 7ff7c99b949c 26337->26338 26339 7ff7c99b95a1 26338->26339 26340 7ff7c99a129c 33 API calls 26338->26340 26341 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26339->26341 26343 7ff7c99b9514 26340->26343 26342 7ff7c99b95a7 26341->26342 26344 7ff7c99b959c 26343->26344 26343->26345 26346 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26344->26346 26345->26334 26346->26339 26348 7ff7c99b3e28 swprintf 46 API calls 26347->26348 26349 7ff7c99b95eb 26348->26349 26350 7ff7c99c0f68 WideCharToMultiByte 26349->26350 26351 7ff7c99b9603 26350->26351 26352 7ff7c99b9800 31 API calls 26351->26352 26353 7ff7c99b961b 26352->26353 26354 7ff7c99d2320 _handle_error 8 API calls 26353->26354 26355 7ff7c99b962b 26354->26355 26355->26310 26355->26324 26368 7ff7c99a13a4 26356->26368 26359 7ff7c99a2494 26360 7ff7c99a129c 33 API calls 26359->26360 26361 7ff7c99a24a2 26360->26361 26362 7ff7c99a24dd 26361->26362 26364 7ff7c99a2505 26361->26364 26363 7ff7c99d2320 _handle_error 8 API calls 26362->26363 26365 7ff7c99a24f3 26363->26365 26366 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26364->26366 26365->25959 26367 7ff7c99a250a 26366->26367 26369 7ff7c99a13ad 26368->26369 26377 7ff7c99a142d GetWindowTextW 26368->26377 26370 7ff7c99a143d 26369->26370 26372 7ff7c99a13ce 26369->26372 26379 7ff7c99a2018 33 API calls std::_Xinvalid_argument 26370->26379 26374 7ff7c99d21d0 33 API calls 26372->26374 26375 7ff7c99a13db __scrt_get_show_window_mode 26372->26375 26374->26375 26378 7ff7c99a197c 31 API calls _invalid_parameter_noinfo_noreturn 26375->26378 26377->26359 26378->26377 26380->25976 26382->25984 26384 7ff7c99cae80 GetDlgItem 26383->26384 26385 7ff7c99cae3c GetMessageW 26383->26385 26384->25995 26384->25996 26386 7ff7c99cae5b IsDialogMessageW 26385->26386 26387 7ff7c99cae6a TranslateMessage DispatchMessageW 26385->26387 26386->26384 26386->26387 26387->26384 26390 7ff7c99b36b3 26388->26390 26389 7ff7c99b36e0 26422 7ff7c99b32bc 26389->26422 26390->26389 26392 7ff7c99b36cc CreateDirectoryW 26390->26392 26392->26389 26393 7ff7c99b377d 26392->26393 26395 7ff7c99b378d 26393->26395 26408 7ff7c99b3d34 26393->26408 26399 7ff7c99d2320 _handle_error 8 API calls 26395->26399 26396 7ff7c99b3791 GetLastError 26396->26395 26401 7ff7c99b37b9 26399->26401 26401->26014 26402 7ff7c99b3720 CreateDirectoryW 26403 7ff7c99b373b 26402->26403 26404 7ff7c99b3774 26403->26404 26405 7ff7c99b37ce 26403->26405 26404->26393 26404->26396 26406 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26405->26406 26407 7ff7c99b37d3 26406->26407 26409 7ff7c99b3d5e SetFileAttributesW 26408->26409 26410 7ff7c99b3d5b 26408->26410 26411 7ff7c99b3d74 26409->26411 26412 7ff7c99b3df5 26409->26412 26410->26409 26413 7ff7c99b6a0c 49 API calls 26411->26413 26414 7ff7c99d2320 _handle_error 8 API calls 26412->26414 26415 7ff7c99b3d99 26413->26415 26416 7ff7c99b3e0a 26414->26416 26417 7ff7c99b3d9d SetFileAttributesW 26415->26417 26418 7ff7c99b3dbc 26415->26418 26416->26395 26417->26418 26418->26412 26419 7ff7c99b3e1a 26418->26419 26420 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26419->26420 26421 7ff7c99b3e1f 26420->26421 26423 7ff7c99b32e4 26422->26423 26424 7ff7c99b32e7 GetFileAttributesW 26422->26424 26423->26424 26425 7ff7c99b32f8 26424->26425 26433 7ff7c99b3375 26424->26433 26427 7ff7c99b6a0c 49 API calls 26425->26427 26426 7ff7c99d2320 _handle_error 8 API calls 26429 7ff7c99b3389 26426->26429 26428 7ff7c99b331f 26427->26428 26430 7ff7c99b3323 GetFileAttributesW 26428->26430 26431 7ff7c99b333c 26428->26431 26429->26396 26436 7ff7c99b6a0c 26429->26436 26430->26431 26432 7ff7c99b3399 26431->26432 26431->26433 26434 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26432->26434 26433->26426 26435 7ff7c99b339e 26434->26435 26437 7ff7c99b6a4b 26436->26437 26458 7ff7c99b6a44 26436->26458 26440 7ff7c99a129c 33 API calls 26437->26440 26438 7ff7c99d2320 _handle_error 8 API calls 26439 7ff7c99b371c 26438->26439 26439->26402 26439->26403 26441 7ff7c99b6a76 26440->26441 26442 7ff7c99b6a96 26441->26442 26443 7ff7c99b6cc7 26441->26443 26445 7ff7c99b6ab0 26442->26445 26474 7ff7c99b6b49 26442->26474 26444 7ff7c99b62dc 35 API calls 26443->26444 26447 7ff7c99b6ce6 26444->26447 26446 7ff7c99b70ab 26445->26446 26509 7ff7c99ac098 33 API calls 2 library calls 26445->26509 26529 7ff7c99a2004 33 API calls std::_Xinvalid_argument 26446->26529 26448 7ff7c99b6eef 26447->26448 26450 7ff7c99b6d1b 26447->26450 26456 7ff7c99b6b44 26447->26456 26453 7ff7c99b70cf 26448->26453 26526 7ff7c99ac098 33 API calls 2 library calls 26448->26526 26454 7ff7c99b70bd 26450->26454 26512 7ff7c99ac098 33 API calls 2 library calls 26450->26512 26451 7ff7c99b70b1 26464 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26451->26464 26532 7ff7c99a2004 33 API calls std::_Xinvalid_argument 26453->26532 26530 7ff7c99a2004 33 API calls std::_Xinvalid_argument 26454->26530 26455 7ff7c99b70d5 26465 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26455->26465 26456->26451 26456->26455 26456->26458 26466 7ff7c99b70a6 26456->26466 26458->26438 26459 7ff7c99b6b03 26467 7ff7c99a1fa0 31 API calls 26459->26467 26475 7ff7c99b6b15 BuildCatchObjectHelperInternal 26459->26475 26461 7ff7c99b6f56 26527 7ff7c99a11cc 33 API calls BuildCatchObjectHelperInternal 26461->26527 26472 7ff7c99b70b7 26464->26472 26473 7ff7c99b70db 26465->26473 26471 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26466->26471 26467->26475 26469 7ff7c99b70c3 26482 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26469->26482 26470 7ff7c99a1fa0 31 API calls 26470->26456 26471->26446 26483 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26472->26483 26479 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26473->26479 26474->26456 26476 7ff7c99a129c 33 API calls 26474->26476 26475->26470 26480 7ff7c99b6bbe 26476->26480 26477 7ff7c99b6f69 26528 7ff7c99b57ac 33 API calls BuildCatchObjectHelperInternal 26477->26528 26478 7ff7c99a1fa0 31 API calls 26493 7ff7c99b6df5 26478->26493 26484 7ff7c99b70e1 26479->26484 26510 7ff7c99b5820 33 API calls 26480->26510 26486 7ff7c99b70c9 26482->26486 26483->26454 26531 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 26486->26531 26487 7ff7c99b6d76 BuildCatchObjectHelperInternal 26487->26469 26487->26478 26488 7ff7c99b6bd3 26511 7ff7c99ae164 33 API calls 2 library calls 26488->26511 26491 7ff7c99a1fa0 31 API calls 26492 7ff7c99b6fec 26491->26492 26495 7ff7c99a1fa0 31 API calls 26492->26495 26496 7ff7c99b6e21 26493->26496 26513 7ff7c99a1744 26493->26513 26494 7ff7c99b6f79 BuildCatchObjectHelperInternal 26494->26473 26494->26491 26499 7ff7c99b6ff6 26495->26499 26496->26486 26503 7ff7c99a129c 33 API calls 26496->26503 26497 7ff7c99b6be9 BuildCatchObjectHelperInternal 26497->26472 26498 7ff7c99a1fa0 31 API calls 26497->26498 26501 7ff7c99b6c6d 26498->26501 26502 7ff7c99a1fa0 31 API calls 26499->26502 26504 7ff7c99a1fa0 31 API calls 26501->26504 26502->26456 26505 7ff7c99b6ec2 26503->26505 26504->26456 26506 7ff7c99a2034 33 API calls 26505->26506 26507 7ff7c99b6edf 26506->26507 26508 7ff7c99a1fa0 31 API calls 26507->26508 26508->26456 26509->26459 26510->26488 26511->26497 26512->26487 26514 7ff7c99a18a1 26513->26514 26517 7ff7c99a1784 26513->26517 26533 7ff7c99a2004 33 API calls std::_Xinvalid_argument 26514->26533 26516 7ff7c99a18a7 26534 7ff7c99a1f80 33 API calls 3 library calls 26516->26534 26517->26516 26520 7ff7c99d21d0 33 API calls 26517->26520 26524 7ff7c99a17ac BuildCatchObjectHelperInternal 26517->26524 26519 7ff7c99a18ad 26535 7ff7c99d354c 31 API calls __std_exception_copy 26519->26535 26520->26524 26522 7ff7c99a18d9 26522->26496 26523 7ff7c99a1859 BuildCatchObjectHelperInternal 26523->26496 26524->26523 26525 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26524->26525 26525->26514 26526->26461 26527->26477 26528->26494 26531->26453 26534->26519 26535->26522 26537 7ff7c99a7206 26536->26537 26538 7ff7c99a713b 26536->26538 26546 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 26537->26546 26544 7ff7c99a714b BuildCatchObjectHelperInternal 26538->26544 26545 7ff7c99a3f48 33 API calls 2 library calls 26538->26545 26541 7ff7c99a7273 26541->26030 26542 7ff7c99a720b 26542->26541 26547 7ff7c99a889c 8 API calls BuildCatchObjectHelperInternal 26542->26547 26544->26030 26545->26544 26546->26542 26547->26542 26549 7ff7c99b20ea 26548->26549 26550 7ff7c99b2102 26548->26550 26549->26550 26552 7ff7c99b20f6 CloseHandle 26549->26552 26551 7ff7c99b2126 26550->26551 26554 7ff7c99ab544 99 API calls 26550->26554 26551->26048 26552->26550 26554->26551 26556 7ff7c99caa36 26555->26556 26557 7ff7c99caa2f 26555->26557 26556->26557 26558 7ff7c99a1744 33 API calls 26556->26558 26557->26196 26558->26556 26559->26196 26561 7ff7c99ca47f 26560->26561 26562 7ff7c99ca706 26560->26562 26694 7ff7c99ccdf8 33 API calls 26561->26694 26564 7ff7c99d2320 _handle_error 8 API calls 26562->26564 26566 7ff7c99ca717 26564->26566 26565 7ff7c99ca49e 26567 7ff7c99a129c 33 API calls 26565->26567 26566->26133 26568 7ff7c99ca4de 26567->26568 26569 7ff7c99a129c 33 API calls 26568->26569 26570 7ff7c99ca517 26569->26570 26571 7ff7c99a129c 33 API calls 26570->26571 26572 7ff7c99ca54a 26571->26572 26695 7ff7c99ca834 33 API calls _invalid_parameter_noinfo_noreturn 26572->26695 26574 7ff7c99ca734 26576 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26574->26576 26575 7ff7c99ca573 26575->26574 26577 7ff7c99ca73a 26575->26577 26578 7ff7c99ca740 26575->26578 26580 7ff7c99a20b0 33 API calls 26575->26580 26583 7ff7c99ca685 26575->26583 26576->26577 26579 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26577->26579 26581 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26578->26581 26579->26578 26580->26583 26582 7ff7c99ca746 26581->26582 26585 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26582->26585 26583->26562 26583->26582 26584 7ff7c99ca72f 26583->26584 26587 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26584->26587 26586 7ff7c99ca74c 26585->26586 26588 7ff7c99a255c 61 API calls 26586->26588 26587->26574 26589 7ff7c99ca795 26588->26589 26590 7ff7c99ca7b1 26589->26590 26591 7ff7c99ca801 SetDlgItemTextW 26589->26591 26595 7ff7c99ca7a1 26589->26595 26592 7ff7c99d2320 _handle_error 8 API calls 26590->26592 26591->26590 26593 7ff7c99ca827 26592->26593 26593->26133 26594 7ff7c99ca7ad 26594->26590 26596 7ff7c99ca7b7 EndDialog 26594->26596 26595->26590 26595->26594 26696 7ff7c99bbb00 102 API calls 26595->26696 26596->26590 26603 7ff7c99cf529 __scrt_get_show_window_mode 26598->26603 26613 7ff7c99cf87d 26598->26613 26599 7ff7c99a1fa0 31 API calls 26600 7ff7c99cf89c 26599->26600 26601 7ff7c99d2320 _handle_error 8 API calls 26600->26601 26602 7ff7c99cf8a8 26601->26602 26602->26136 26604 7ff7c99cf684 26603->26604 26697 7ff7c99c13c4 CompareStringW 26603->26697 26606 7ff7c99a129c 33 API calls 26604->26606 26607 7ff7c99cf6c0 26606->26607 26608 7ff7c99b32a8 51 API calls 26607->26608 26609 7ff7c99cf6ca 26608->26609 26610 7ff7c99a1fa0 31 API calls 26609->26610 26614 7ff7c99cf6d5 26610->26614 26611 7ff7c99cf742 ShellExecuteExW 26612 7ff7c99cf846 26611->26612 26619 7ff7c99cf755 26611->26619 26612->26613 26617 7ff7c99cf8fb 26612->26617 26613->26599 26614->26611 26616 7ff7c99a129c 33 API calls 26614->26616 26615 7ff7c99cf78e 26699 7ff7c99cfe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 26615->26699 26620 7ff7c99cf717 26616->26620 26622 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26617->26622 26618 7ff7c99cf7e3 CloseHandle 26623 7ff7c99cf801 26618->26623 26624 7ff7c99cf7f2 26618->26624 26619->26615 26619->26618 26629 7ff7c99cf781 ShowWindow 26619->26629 26698 7ff7c99b5b60 53 API calls 2 library calls 26620->26698 26627 7ff7c99cf900 26622->26627 26623->26612 26633 7ff7c99cf837 ShowWindow 26623->26633 26700 7ff7c99c13c4 CompareStringW 26624->26700 26626 7ff7c99cf725 26631 7ff7c99a1fa0 31 API calls 26626->26631 26629->26615 26630 7ff7c99cf7a6 26630->26618 26634 7ff7c99cf7b4 GetExitCodeProcess 26630->26634 26632 7ff7c99cf72f 26631->26632 26632->26611 26633->26612 26634->26618 26635 7ff7c99cf7c7 26634->26635 26635->26618 26636->26196 26637->26196 26638->26196 26639->26196 26640->26196 26641->26196 26642->26196 26643->26196 26644->26196 26645->26196 26647 7ff7c99b72ea 26646->26647 26701 7ff7c99ab3a8 26647->26701 26651 7ff7c99b31e4 26650->26651 26652 7ff7c99b31e7 DeleteFileW 26650->26652 26651->26652 26653 7ff7c99b31fd 26652->26653 26660 7ff7c99b327c 26652->26660 26655 7ff7c99b6a0c 49 API calls 26653->26655 26654 7ff7c99d2320 _handle_error 8 API calls 26656 7ff7c99b3291 26654->26656 26657 7ff7c99b3222 26655->26657 26656->26196 26658 7ff7c99b3226 DeleteFileW 26657->26658 26659 7ff7c99b3243 26657->26659 26658->26659 26659->26660 26661 7ff7c99b32a1 26659->26661 26660->26654 26662 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26661->26662 26663 7ff7c99b32a6 26662->26663 26665->26196 26666->26196 26667->26196 26668->26196 26670 7ff7c99b7e0c 26669->26670 26671 7ff7c99b7e55 26670->26671 26672 7ff7c99b7e23 26670->26672 26705 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 26671->26705 26675 7ff7c99a129c 33 API calls 26672->26675 26674 7ff7c99b7e5a 26676 7ff7c99b7e47 26675->26676 26676->26196 26677->26196 26678->26196 26681 7ff7c99bd25e 26679->26681 26680 7ff7c99bd292 26680->26188 26681->26680 26682 7ff7c99a1744 33 API calls 26681->26682 26682->26681 26683->26093 26684->26077 26686->26072 26687->26060 26688->26063 26689->26115 26690->26105 26692->26110 26694->26565 26695->26575 26696->26594 26697->26604 26698->26626 26699->26630 26700->26623 26704 7ff7c99ab3f2 __scrt_get_show_window_mode 26701->26704 26702 7ff7c99d2320 _handle_error 8 API calls 26703 7ff7c99ab4b6 26702->26703 26703->26196 26704->26702 26705->26674 26762 7ff7c99b86ec 26706->26762 26708 7ff7c99ae3c4 26768 7ff7c99ae600 26708->26768 26710 7ff7c99ae4d4 26711 7ff7c99d21d0 33 API calls 26710->26711 26714 7ff7c99ae4f0 26711->26714 26712 7ff7c99ae549 26715 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26712->26715 26713 7ff7c99ae454 26713->26710 26713->26712 26774 7ff7c99c3148 102 API calls 26714->26774 26723 7ff7c99ae54e 26715->26723 26717 7ff7c99ae51d 26718 7ff7c99d2320 _handle_error 8 API calls 26717->26718 26720 7ff7c99ae52d 26718->26720 26719 7ff7c99b18c2 26722 7ff7c99b190d 26719->26722 26724 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26719->26724 26720->26208 26721 7ff7c99a1fa0 31 API calls 26721->26723 26722->26208 26723->26719 26723->26721 26723->26722 26725 7ff7c99b193b 26724->26725 26727 7ff7c99ae7ea 26726->26727 26728 7ff7c99ae864 26727->26728 26732 7ff7c99ae8a1 26727->26732 26775 7ff7c99b3ec8 26727->26775 26730 7ff7c99ae993 26728->26730 26728->26732 26733 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26730->26733 26731 7ff7c99ae900 26738 7ff7c99ae955 26731->26738 26818 7ff7c99a28a4 82 API calls 2 library calls 26731->26818 26732->26731 26782 7ff7c99af578 26732->26782 26736 7ff7c99ae998 26733->26736 26735 7ff7c99d2320 _handle_error 8 API calls 26737 7ff7c99ae97e 26735->26737 26740 7ff7c99ae578 26737->26740 26738->26735 27814 7ff7c99b15d8 26740->27814 26743 7ff7c99ae59e 26744 7ff7c99a1fa0 31 API calls 26743->26744 26746 7ff7c99ae5b7 26744->26746 26745 7ff7c99c1870 108 API calls 26745->26743 26747 7ff7c99a1fa0 31 API calls 26746->26747 26748 7ff7c99ae5c3 26747->26748 26749 7ff7c99a1fa0 31 API calls 26748->26749 26750 7ff7c99ae5cf 26749->26750 26751 7ff7c99b878c 108 API calls 26750->26751 26752 7ff7c99ae5db 26751->26752 26753 7ff7c99a1fa0 31 API calls 26752->26753 26754 7ff7c99ae5e4 26753->26754 26755 7ff7c99a1fa0 31 API calls 26754->26755 26757 7ff7c99ae5ed 26755->26757 26756 7ff7c99b190d 26756->26212 26757->26756 26758 7ff7c99b18c2 26757->26758 26760 7ff7c99a1fa0 31 API calls 26757->26760 26758->26756 26759 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26758->26759 26761 7ff7c99b193b 26759->26761 26760->26757 26763 7ff7c99b870a 26762->26763 26764 7ff7c99d21d0 33 API calls 26763->26764 26765 7ff7c99b872f 26764->26765 26766 7ff7c99d21d0 33 API calls 26765->26766 26767 7ff7c99b8759 26766->26767 26767->26708 26769 7ff7c99ae627 26768->26769 26772 7ff7c99ae62c BuildCatchObjectHelperInternal 26768->26772 26770 7ff7c99a1fa0 31 API calls 26769->26770 26770->26772 26771 7ff7c99a1fa0 31 API calls 26773 7ff7c99ae668 BuildCatchObjectHelperInternal 26771->26773 26772->26771 26772->26773 26773->26713 26774->26717 26776 7ff7c99b72cc 8 API calls 26775->26776 26777 7ff7c99b3ee1 26776->26777 26781 7ff7c99b3f0f 26777->26781 26819 7ff7c99b40bc 26777->26819 26780 7ff7c99b3efa FindClose 26780->26781 26781->26727 26783 7ff7c99af598 _snwprintf 26782->26783 26858 7ff7c99a2950 26783->26858 26786 7ff7c99af5cc 26790 7ff7c99af5fc 26786->26790 26873 7ff7c99a33e4 26786->26873 26789 7ff7c99af5f8 26789->26790 26905 7ff7c99a3ad8 26789->26905 27124 7ff7c99a2c54 26790->27124 26797 7ff7c99af7cb 26915 7ff7c99af8a4 26797->26915 26799 7ff7c99a8d04 33 API calls 26800 7ff7c99af662 26799->26800 27144 7ff7c99b7918 48 API calls 2 library calls 26800->27144 26802 7ff7c99af677 26803 7ff7c99b3ec8 55 API calls 26802->26803 26812 7ff7c99af6ad 26803->26812 26805 7ff7c99af842 26805->26790 26936 7ff7c99a69f8 26805->26936 26947 7ff7c99af930 26805->26947 26810 7ff7c99af74d 26810->26797 26811 7ff7c99af89a 26810->26811 26814 7ff7c99af895 26810->26814 26813 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26811->26813 26812->26810 26812->26811 26815 7ff7c99b3ec8 55 API calls 26812->26815 27145 7ff7c99b7918 48 API calls 2 library calls 26812->27145 26816 7ff7c99af8a0 26813->26816 26817 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26814->26817 26815->26812 26817->26811 26818->26738 26820 7ff7c99b41d2 FindNextFileW 26819->26820 26821 7ff7c99b40f9 FindFirstFileW 26819->26821 26823 7ff7c99b41e1 GetLastError 26820->26823 26824 7ff7c99b41f3 26820->26824 26821->26824 26825 7ff7c99b411e 26821->26825 26844 7ff7c99b41c0 26823->26844 26826 7ff7c99b4211 26824->26826 26829 7ff7c99a20b0 33 API calls 26824->26829 26827 7ff7c99b6a0c 49 API calls 26825->26827 26834 7ff7c99a129c 33 API calls 26826->26834 26828 7ff7c99b4144 26827->26828 26831 7ff7c99b4167 26828->26831 26832 7ff7c99b4148 FindFirstFileW 26828->26832 26829->26826 26830 7ff7c99d2320 _handle_error 8 API calls 26833 7ff7c99b3ef4 26830->26833 26831->26824 26836 7ff7c99b41af GetLastError 26831->26836 26839 7ff7c99b4314 26831->26839 26832->26831 26833->26780 26833->26781 26835 7ff7c99b423b 26834->26835 26845 7ff7c99b8090 26835->26845 26836->26844 26840 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26839->26840 26841 7ff7c99b431a 26840->26841 26842 7ff7c99b430f 26843 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26842->26843 26843->26839 26844->26830 26846 7ff7c99b80a5 26845->26846 26849 7ff7c99b8188 26846->26849 26848 7ff7c99b4249 26848->26842 26848->26844 26850 7ff7c99b8326 26849->26850 26853 7ff7c99b81ba 26849->26853 26857 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 26850->26857 26852 7ff7c99b832b 26855 7ff7c99b81d4 BuildCatchObjectHelperInternal 26853->26855 26856 7ff7c99b58a4 33 API calls 2 library calls 26853->26856 26855->26848 26856->26855 26857->26852 26859 7ff7c99a296c 26858->26859 26860 7ff7c99b86ec 33 API calls 26859->26860 26861 7ff7c99a298d 26860->26861 26862 7ff7c99d21d0 33 API calls 26861->26862 26865 7ff7c99a2ac2 26861->26865 26863 7ff7c99a2ab0 26862->26863 26863->26865 27146 7ff7c99a91c8 26863->27146 27153 7ff7c99b4d04 26865->27153 26868 7ff7c99b2ca8 27185 7ff7c99b24c0 26868->27185 26870 7ff7c99b2cc5 26870->26786 27204 7ff7c99b28d0 26873->27204 26874 7ff7c99a3674 27223 7ff7c99a28a4 82 API calls 2 library calls 26874->27223 26875 7ff7c99a3431 __scrt_get_show_window_mode 26882 7ff7c99a344e 26875->26882 26886 7ff7c99a3601 26875->26886 27209 7ff7c99b2bb0 26875->27209 26877 7ff7c99a69f8 132 API calls 26879 7ff7c99a3682 26877->26879 26879->26877 26880 7ff7c99a370c 26879->26880 26879->26886 26899 7ff7c99b2aa0 101 API calls 26879->26899 26885 7ff7c99a3740 26880->26885 26880->26886 27224 7ff7c99a28a4 82 API calls 2 library calls 26880->27224 26882->26874 26882->26879 26883 7ff7c99a35cb 26883->26882 26884 7ff7c99a35d7 26883->26884 26884->26886 26888 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26884->26888 26885->26886 26887 7ff7c99a384d 26885->26887 26901 7ff7c99b2bb0 101 API calls 26885->26901 26886->26789 26887->26886 26890 7ff7c99a20b0 33 API calls 26887->26890 26891 7ff7c99a3891 26888->26891 26889 7ff7c99a34eb 26889->26883 27218 7ff7c99b2aa0 26889->27218 26890->26886 26891->26789 26893 7ff7c99a69f8 132 API calls 26894 7ff7c99a378e 26893->26894 26894->26893 26895 7ff7c99a3803 26894->26895 26902 7ff7c99b2aa0 101 API calls 26894->26902 26897 7ff7c99b2aa0 101 API calls 26895->26897 26897->26887 26898 7ff7c99b28d0 104 API calls 26898->26889 26899->26879 26900 7ff7c99b28d0 104 API calls 26900->26883 26901->26894 26902->26894 26906 7ff7c99a3af9 26905->26906 26911 7ff7c99a3b55 26905->26911 27236 7ff7c99a3378 26906->27236 26908 7ff7c99d2320 _handle_error 8 API calls 26910 7ff7c99a3b67 26908->26910 26910->26797 26910->26799 26911->26908 26912 7ff7c99a3b6c 26913 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 26912->26913 26914 7ff7c99a3b71 26913->26914 27466 7ff7c99b886c 26915->27466 26917 7ff7c99af8ba 27470 7ff7c99bef60 GetSystemTime SystemTimeToFileTime 26917->27470 26920 7ff7c99c0994 26921 7ff7c99d0340 26920->26921 26922 7ff7c99b7df4 47 API calls 26921->26922 26923 7ff7c99d0373 26922->26923 26924 7ff7c99baae0 48 API calls 26923->26924 26925 7ff7c99d0387 26924->26925 26926 7ff7c99bda98 48 API calls 26925->26926 26927 7ff7c99d0397 26926->26927 26928 7ff7c99a1fa0 31 API calls 26927->26928 26929 7ff7c99d03a2 26928->26929 27479 7ff7c99cfc68 49 API calls 2 library calls 26929->27479 26931 7ff7c99d03b8 26932 7ff7c99a1fa0 31 API calls 26931->26932 26933 7ff7c99d03c3 26932->26933 26934 7ff7c99d2320 _handle_error 8 API calls 26933->26934 26937 7ff7c99a6a0e 26936->26937 26945 7ff7c99a6a0a 26936->26945 26946 7ff7c99b2bb0 101 API calls 26937->26946 26938 7ff7c99a6a1b 26939 7ff7c99a6a2f 26938->26939 26940 7ff7c99a6a3e 26938->26940 26939->26945 27480 7ff7c99a5e24 26939->27480 27542 7ff7c99a5130 130 API calls 2 library calls 26940->27542 26943 7ff7c99a6a3c 26943->26945 27543 7ff7c99a466c 82 API calls 26943->27543 26945->26805 26946->26938 26948 7ff7c99af978 26947->26948 26951 7ff7c99af9b0 26948->26951 26985 7ff7c99afa34 26948->26985 27657 7ff7c99c612c 137 API calls 3 library calls 26948->27657 26950 7ff7c99b1189 26952 7ff7c99b11e1 26950->26952 26953 7ff7c99b118e 26950->26953 26951->26950 26959 7ff7c99af9d0 26951->26959 26951->26985 26952->26985 27706 7ff7c99c612c 137 API calls 3 library calls 26952->27706 26953->26985 27705 7ff7c99add08 179 API calls 26953->27705 26954 7ff7c99d2320 _handle_error 8 API calls 26955 7ff7c99b11c4 26954->26955 26955->26805 26959->26985 27572 7ff7c99a9bb0 26959->27572 26960 7ff7c99afad6 27585 7ff7c99b5ef8 26960->27585 26985->26954 27125 7ff7c99a2c74 27124->27125 27126 7ff7c99a2c88 27124->27126 27125->27126 27793 7ff7c99a2d80 108 API calls _invalid_parameter_noinfo_noreturn 27125->27793 27127 7ff7c99a1fa0 31 API calls 27126->27127 27131 7ff7c99a2ca1 27127->27131 27130 7ff7c99a2d08 27795 7ff7c99a3090 31 API calls _invalid_parameter_noinfo_noreturn 27130->27795 27143 7ff7c99a2d64 27131->27143 27794 7ff7c99a3090 31 API calls _invalid_parameter_noinfo_noreturn 27131->27794 27133 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27135 7ff7c99a2d7c 27133->27135 27134 7ff7c99a2d14 27136 7ff7c99a1fa0 31 API calls 27134->27136 27137 7ff7c99a2d20 27136->27137 27796 7ff7c99b878c 27137->27796 27143->27133 27144->26802 27145->26812 27163 7ff7c99b56a4 27146->27163 27148 7ff7c99a91df 27166 7ff7c99bb788 27148->27166 27152 7ff7c99a9383 27152->26865 27154 7ff7c99b4d32 __scrt_get_show_window_mode 27153->27154 27181 7ff7c99b4bac 27154->27181 27156 7ff7c99b4d54 27157 7ff7c99b4d90 27156->27157 27159 7ff7c99b4dae 27156->27159 27158 7ff7c99d2320 _handle_error 8 API calls 27157->27158 27160 7ff7c99a2b32 27158->27160 27161 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27159->27161 27160->26786 27160->26868 27162 7ff7c99b4db3 27161->27162 27172 7ff7c99b56e8 27163->27172 27167 7ff7c99a13a4 33 API calls 27166->27167 27168 7ff7c99a9365 27167->27168 27169 7ff7c99a9a28 27168->27169 27170 7ff7c99b56e8 2 API calls 27169->27170 27171 7ff7c99a9a36 27170->27171 27171->27152 27173 7ff7c99b56fe __scrt_get_show_window_mode 27172->27173 27176 7ff7c99beba4 27173->27176 27179 7ff7c99beb58 GetCurrentProcess GetProcessAffinityMask 27176->27179 27180 7ff7c99b56de 27179->27180 27180->27148 27182 7ff7c99b4c27 27181->27182 27184 7ff7c99b4c2f BuildCatchObjectHelperInternal 27181->27184 27183 7ff7c99a1fa0 31 API calls 27182->27183 27183->27184 27184->27156 27186 7ff7c99b24fd CreateFileW 27185->27186 27188 7ff7c99b25ae GetLastError 27186->27188 27197 7ff7c99b266e 27186->27197 27189 7ff7c99b6a0c 49 API calls 27188->27189 27190 7ff7c99b25dc 27189->27190 27191 7ff7c99b25e0 CreateFileW GetLastError 27190->27191 27196 7ff7c99b262c 27190->27196 27191->27196 27192 7ff7c99b26b1 SetFileTime 27195 7ff7c99b26cf 27192->27195 27193 7ff7c99b2708 27194 7ff7c99d2320 _handle_error 8 API calls 27193->27194 27198 7ff7c99b271b 27194->27198 27195->27193 27199 7ff7c99a20b0 33 API calls 27195->27199 27196->27197 27200 7ff7c99b2736 27196->27200 27197->27192 27197->27195 27198->26870 27203 7ff7c99ab7e8 99 API calls 2 library calls 27198->27203 27199->27193 27201 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27200->27201 27202 7ff7c99b273b 27201->27202 27203->26870 27205 7ff7c99b28f6 27204->27205 27207 7ff7c99b28fd 27204->27207 27205->26875 27207->27205 27208 7ff7c99b2320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 27207->27208 27225 7ff7c99ab8a4 99 API calls _com_raise_error 27207->27225 27208->27207 27210 7ff7c99b2bcd 27209->27210 27211 7ff7c99b2be9 27209->27211 27215 7ff7c99a34cc 27210->27215 27226 7ff7c99ab9c4 99 API calls _com_raise_error 27210->27226 27213 7ff7c99b2c01 SetFilePointer 27211->27213 27211->27215 27214 7ff7c99b2c1e GetLastError 27213->27214 27213->27215 27214->27215 27216 7ff7c99b2c28 27214->27216 27215->26898 27216->27215 27227 7ff7c99ab9c4 99 API calls _com_raise_error 27216->27227 27228 7ff7c99b2778 27218->27228 27221 7ff7c99a35a7 27221->26883 27221->26900 27223->26886 27224->26885 27230 7ff7c99b2789 _snwprintf 27228->27230 27229 7ff7c99b27b5 27231 7ff7c99d2320 _handle_error 8 API calls 27229->27231 27230->27229 27232 7ff7c99b2890 SetFilePointer 27230->27232 27233 7ff7c99b281d 27231->27233 27232->27229 27234 7ff7c99b28b8 GetLastError 27232->27234 27233->27221 27235 7ff7c99ab9c4 99 API calls _com_raise_error 27233->27235 27234->27229 27237 7ff7c99a3396 27236->27237 27238 7ff7c99a339a 27236->27238 27237->26911 27237->26912 27242 7ff7c99a3294 27238->27242 27241 7ff7c99b2aa0 101 API calls 27241->27237 27243 7ff7c99a32bb 27242->27243 27246 7ff7c99a32f6 27242->27246 27244 7ff7c99a69f8 132 API calls 27243->27244 27245 7ff7c99a32db 27244->27245 27245->27241 27250 7ff7c99a6e74 27246->27250 27253 7ff7c99a6e95 27250->27253 27251 7ff7c99a69f8 132 API calls 27251->27253 27253->27251 27254 7ff7c99a331d 27253->27254 27282 7ff7c99be808 27253->27282 27254->27245 27255 7ff7c99a3904 27254->27255 27290 7ff7c99a6a7c 27255->27290 27258 7ff7c99a396a 27262 7ff7c99a399a 27258->27262 27263 7ff7c99a3989 27258->27263 27259 7ff7c99a3a8a 27264 7ff7c99d2320 _handle_error 8 API calls 27259->27264 27261 7ff7c99a394f 27261->27259 27268 7ff7c99a3ab3 27261->27268 27272 7ff7c99a3ab8 27261->27272 27266 7ff7c99a39a3 27262->27266 27267 7ff7c99a39ec 27262->27267 27322 7ff7c99c0d54 27263->27322 27265 7ff7c99a3a9e 27264->27265 27265->27245 27327 7ff7c99c0c80 33 API calls 27266->27327 27328 7ff7c99a26b4 33 API calls BuildCatchObjectHelperInternal 27267->27328 27270 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27268->27270 27270->27272 27276 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27272->27276 27273 7ff7c99a39b0 27277 7ff7c99a1fa0 31 API calls 27273->27277 27281 7ff7c99a39c0 BuildCatchObjectHelperInternal 27273->27281 27275 7ff7c99a3a13 27329 7ff7c99c0ae8 34 API calls _invalid_parameter_noinfo_noreturn 27275->27329 27280 7ff7c99a3abe 27276->27280 27277->27281 27278 7ff7c99a1fa0 31 API calls 27278->27261 27281->27278 27283 7ff7c99be811 27282->27283 27284 7ff7c99be82b 27283->27284 27288 7ff7c99ab664 RtlPcToFileHeader RaiseException _com_raise_error 27283->27288 27286 7ff7c99be845 SetThreadExecutionState 27284->27286 27289 7ff7c99ab664 RtlPcToFileHeader RaiseException _com_raise_error 27284->27289 27288->27284 27289->27286 27291 7ff7c99a6a96 _snwprintf 27290->27291 27292 7ff7c99a6ae4 27291->27292 27293 7ff7c99a6ac4 27291->27293 27295 7ff7c99a6d4d 27292->27295 27298 7ff7c99a6b0f 27292->27298 27368 7ff7c99a28a4 82 API calls 2 library calls 27293->27368 27397 7ff7c99a28a4 82 API calls 2 library calls 27295->27397 27297 7ff7c99a6ad0 27299 7ff7c99d2320 _handle_error 8 API calls 27297->27299 27298->27297 27330 7ff7c99c1f94 27298->27330 27300 7ff7c99a394b 27299->27300 27300->27258 27300->27261 27326 7ff7c99a2794 33 API calls __std_swap_ranges_trivially_swappable 27300->27326 27303 7ff7c99a6b85 27304 7ff7c99a6c2a 27303->27304 27321 7ff7c99a6b7b 27303->27321 27374 7ff7c99b8968 109 API calls 27303->27374 27339 7ff7c99b4760 27304->27339 27305 7ff7c99a6b80 27305->27303 27370 7ff7c99a40b0 27305->27370 27306 7ff7c99a6b6e 27369 7ff7c99a28a4 82 API calls 2 library calls 27306->27369 27312 7ff7c99a6c52 27313 7ff7c99a6cd1 27312->27313 27314 7ff7c99a6cc7 27312->27314 27375 7ff7c99c1f20 27313->27375 27343 7ff7c99b1794 27314->27343 27317 7ff7c99a6ccf 27358 7ff7c99c1870 27321->27358 27324 7ff7c99c0d8c 27322->27324 27323 7ff7c99c0f48 27323->27261 27324->27323 27325 7ff7c99a1744 33 API calls 27324->27325 27325->27324 27326->27258 27327->27273 27328->27275 27329->27261 27331 7ff7c99c2056 std::bad_alloc::bad_alloc 27330->27331 27334 7ff7c99c1fc5 std::bad_alloc::bad_alloc 27330->27334 27333 7ff7c99d4078 _com_raise_error 2 API calls 27331->27333 27332 7ff7c99a6b59 27332->27303 27332->27305 27332->27306 27333->27334 27334->27332 27335 7ff7c99d4078 _com_raise_error 2 API calls 27334->27335 27336 7ff7c99c200f std::bad_alloc::bad_alloc 27334->27336 27335->27336 27336->27332 27337 7ff7c99d4078 _com_raise_error 2 API calls 27336->27337 27338 7ff7c99c20a9 27337->27338 27340 7ff7c99b4780 27339->27340 27342 7ff7c99b478a 27339->27342 27341 7ff7c99d21d0 33 API calls 27340->27341 27341->27342 27342->27312 27344 7ff7c99b17be __scrt_get_show_window_mode 27343->27344 27398 7ff7c99b8a48 27344->27398 27359 7ff7c99c188e 27358->27359 27361 7ff7c99c18a1 27359->27361 27418 7ff7c99be948 27359->27418 27365 7ff7c99c18d8 27361->27365 27414 7ff7c99d236c 27361->27414 27363 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27364 7ff7c99c1ad0 27363->27364 27367 7ff7c99c1a37 27365->27367 27425 7ff7c99ba984 31 API calls _invalid_parameter_noinfo_noreturn 27365->27425 27367->27363 27368->27297 27369->27321 27371 7ff7c99a40dd 27370->27371 27372 7ff7c99a40d7 __scrt_get_show_window_mode 27370->27372 27371->27372 27426 7ff7c99a4120 27371->27426 27372->27303 27374->27304 27377 7ff7c99c1f29 27375->27377 27376 7ff7c99c1f5d 27376->27317 27377->27376 27378 7ff7c99c1f55 27377->27378 27379 7ff7c99c1f49 27377->27379 27462 7ff7c99c3964 151 API calls 27378->27462 27432 7ff7c99c20ac 27379->27432 27397->27297 27400 7ff7c99b8bcd 27398->27400 27402 7ff7c99b8a91 BuildCatchObjectHelperInternal 27398->27402 27399 7ff7c99b8c1a 27400->27399 27403 7ff7c99aa174 8 API calls 27400->27403 27402->27400 27404 7ff7c99c612c 137 API calls 27402->27404 27405 7ff7c99b8c1f 27402->27405 27406 7ff7c99b4888 108 API calls 27402->27406 27407 7ff7c99b28d0 104 API calls 27402->27407 27403->27399 27404->27402 27406->27402 27407->27402 27415 7ff7c99d239f 27414->27415 27416 7ff7c99d23c8 27415->27416 27417 7ff7c99c1870 108 API calls 27415->27417 27416->27365 27417->27415 27419 7ff7c99becd8 103 API calls 27418->27419 27420 7ff7c99be95f ReleaseSemaphore 27419->27420 27421 7ff7c99be984 27420->27421 27422 7ff7c99be9a3 DeleteCriticalSection CloseHandle CloseHandle 27420->27422 27423 7ff7c99bea5c 101 API calls 27421->27423 27424 7ff7c99be98e CloseHandle 27423->27424 27424->27421 27424->27422 27425->27367 27429 7ff7c99a4149 27426->27429 27431 7ff7c99a4168 __std_swap_ranges_trivially_swappable __scrt_get_show_window_mode 27426->27431 27427 7ff7c99a2018 33 API calls 27428 7ff7c99a41eb 27427->27428 27430 7ff7c99d21d0 33 API calls 27429->27430 27429->27431 27430->27431 27431->27427 27434 7ff7c99c20c8 __scrt_get_show_window_mode 27432->27434 27462->27376 27467 7ff7c99b8882 27466->27467 27468 7ff7c99b8892 27466->27468 27473 7ff7c99b23f0 27467->27473 27468->26917 27471 7ff7c99d2320 _handle_error 8 API calls 27470->27471 27472 7ff7c99af7dc 27471->27472 27472->26805 27472->26920 27474 7ff7c99b240f 27473->27474 27477 7ff7c99b2aa0 101 API calls 27474->27477 27475 7ff7c99b2428 27478 7ff7c99b2bb0 101 API calls 27475->27478 27476 7ff7c99b2438 27476->27468 27477->27475 27478->27476 27479->26931 27481 7ff7c99a5e67 27480->27481 27544 7ff7c99b85f0 27481->27544 27483 7ff7c99a6134 27554 7ff7c99a6fcc 82 API calls 27483->27554 27485 7ff7c99a69af 27487 7ff7c99a69e4 27488 7ff7c99a6973 27566 7ff7c99a466c 82 API calls 27488->27566 27492 7ff7c99a612e 27492->27483 27492->27488 27494 7ff7c99b85f0 104 API calls 27492->27494 27496 7ff7c99a61a4 27494->27496 27496->27483 27500 7ff7c99a61ac 27496->27500 27497 7ff7c99a69ef 27501 7ff7c99a623f 27500->27501 27555 7ff7c99a466c 82 API calls 27500->27555 27501->27488 27537 7ff7c99a613c 27537->27485 27537->27487 27537->27497 27542->26943 27545 7ff7c99b8614 27544->27545 27546 7ff7c99b869a 27544->27546 27547 7ff7c99b867c 27545->27547 27548 7ff7c99a40b0 33 API calls 27545->27548 27546->27547 27549 7ff7c99a40b0 33 API calls 27546->27549 27547->27492 27550 7ff7c99b864d 27548->27550 27551 7ff7c99b86b3 27549->27551 27567 7ff7c99aa174 27550->27567 27553 7ff7c99b28d0 104 API calls 27551->27553 27553->27547 27554->27537 27568 7ff7c99aa185 27567->27568 27569 7ff7c99aa19a 27568->27569 27571 7ff7c99baf18 8 API calls 2 library calls 27568->27571 27569->27547 27571->27569 27580 7ff7c99a9be7 27572->27580 27573 7ff7c99a9c1b 27574 7ff7c99d2320 _handle_error 8 API calls 27573->27574 27575 7ff7c99a9c9d 27574->27575 27575->26960 27577 7ff7c99a9c83 27579 7ff7c99a1fa0 31 API calls 27577->27579 27579->27573 27580->27573 27580->27577 27581 7ff7c99a9cae 27580->27581 27707 7ff7c99b5294 27580->27707 27725 7ff7c99bdb60 27580->27725 27582 7ff7c99a9cbf 27581->27582 27729 7ff7c99bda48 CompareStringW 27581->27729 27582->27577 27584 7ff7c99a20b0 33 API calls 27582->27584 27584->27577 27589 7ff7c99b5f3a 27585->27589 27586 7ff7c99b619b 27587 7ff7c99d2320 _handle_error 8 API calls 27586->27587 27588 7ff7c99afb29 27587->27588 27589->27586 27591 7ff7c99a129c 33 API calls 27589->27591 27598 7ff7c99b61ce 27589->27598 27593 7ff7c99b6129 27591->27593 27592 7ff7c99b61d4 27594 7ff7c99a1fa0 31 API calls 27593->27594 27595 7ff7c99b613b BuildCatchObjectHelperInternal 27593->27595 27594->27595 27595->27586 27733 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 27598->27733 27657->26951 27705->26985 27706->26985 27708 7ff7c99b52d4 27707->27708 27712 7ff7c99b5312 __vcrt_InitializeCriticalSectionEx 27708->27712 27720 7ff7c99b5339 __vcrt_InitializeCriticalSectionEx 27708->27720 27730 7ff7c99c13f4 CompareStringW 27708->27730 27709 7ff7c99d2320 _handle_error 8 API calls 27710 7ff7c99b5503 27709->27710 27710->27580 27714 7ff7c99b5382 __vcrt_InitializeCriticalSectionEx 27712->27714 27712->27720 27731 7ff7c99c13f4 CompareStringW 27712->27731 27715 7ff7c99b5439 27714->27715 27716 7ff7c99a129c 33 API calls 27714->27716 27714->27720 27719 7ff7c99b551b 27715->27719 27721 7ff7c99b5489 27715->27721 27717 7ff7c99b5426 27716->27717 27718 7ff7c99b72cc 8 API calls 27717->27718 27718->27715 27723 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27719->27723 27720->27709 27721->27720 27732 7ff7c99c13f4 CompareStringW 27721->27732 27724 7ff7c99b5520 27723->27724 27727 7ff7c99bdb73 27725->27727 27726 7ff7c99bdb91 27726->27580 27727->27726 27728 7ff7c99a20b0 33 API calls 27727->27728 27728->27726 27729->27582 27730->27712 27731->27714 27732->27720 27733->27592 27793->27126 27794->27130 27795->27134 27797 7ff7c99b87af 27796->27797 27799 7ff7c99b87df 27796->27799 27798 7ff7c99d236c 108 API calls 27797->27798 27801 7ff7c99b87ca 27798->27801 27802 7ff7c99d236c 108 API calls 27799->27802 27809 7ff7c99b882b 27799->27809 27804 7ff7c99d236c 108 API calls 27801->27804 27805 7ff7c99b8814 27802->27805 27803 7ff7c99b8845 27806 7ff7c99b461c 108 API calls 27803->27806 27804->27799 27807 7ff7c99d236c 108 API calls 27805->27807 27808 7ff7c99b8851 27806->27808 27807->27809 27810 7ff7c99b461c 27809->27810 27811 7ff7c99b4632 27810->27811 27813 7ff7c99b463a 27810->27813 27812 7ff7c99be948 108 API calls 27811->27812 27812->27813 27813->27803 27815 7ff7c99b1681 27814->27815 27817 7ff7c99b163e 27814->27817 27816 7ff7c99b16a0 27815->27816 27818 7ff7c99a1fa0 31 API calls 27815->27818 27819 7ff7c99ae600 31 API calls 27816->27819 27817->27815 27820 7ff7c99b31bc 51 API calls 27817->27820 27818->27815 27823 7ff7c99b16de 27819->27823 27820->27817 27821 7ff7c99b175b 27824 7ff7c99d2320 _handle_error 8 API calls 27821->27824 27822 7ff7c99b178d 27826 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27822->27826 27823->27821 27823->27822 27825 7ff7c99ae58a 27824->27825 27825->26743 27825->26745 27827 7ff7c99b1792 27826->27827 27829 7ff7c99c84cc 4 API calls 27828->27829 27830 7ff7c99c84aa 27829->27830 27831 7ff7c99c84b9 27830->27831 27840 7ff7c99c8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27830->27840 27831->26219 27831->26220 27833->26221 27834->26231 27836 7ff7c99c84de 27835->27836 27837 7ff7c99c84e3 27835->27837 27841 7ff7c99c8590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27836->27841 27837->26231 27839->26234 27840->27831 27841->27837 27842->26252 27844->26281 27845->26296 27846 7ff7c99d1491 27848 7ff7c99d13c9 27846->27848 27847 7ff7c99d1900 _com_raise_error 14 API calls 27847->27848 27848->27847 27849 7ff7c99dd94c 27850 7ff7c99dd997 27849->27850 27855 7ff7c99dd95b abort 27849->27855 27856 7ff7c99dd69c 15 API calls abort 27850->27856 27852 7ff7c99dd97e HeapAlloc 27853 7ff7c99dd995 27852->27853 27852->27855 27854 7ff7c99dbbc0 abort 2 API calls 27854->27855 27855->27850 27855->27852 27855->27854 27856->27853 27857 7ff7c99d154b 27858 7ff7c99d14a2 27857->27858 27859 7ff7c99d1900 _com_raise_error 14 API calls 27858->27859 27860 7ff7c99d14e1 27859->27860 27861 7ff7c99dbf2c 27868 7ff7c99dbc34 27861->27868 27873 7ff7c99dd440 35 API calls 2 library calls 27868->27873 27870 7ff7c99dbc3f 27874 7ff7c99dd068 35 API calls abort 27870->27874 27873->27870 27875 7ff7c99d2d6c 27900 7ff7c99d27fc 27875->27900 27878 7ff7c99d2eb8 27998 7ff7c99d3170 7 API calls 2 library calls 27878->27998 27879 7ff7c99d2d88 __scrt_acquire_startup_lock 27881 7ff7c99d2ec2 27879->27881 27883 7ff7c99d2da6 27879->27883 27999 7ff7c99d3170 7 API calls 2 library calls 27881->27999 27884 7ff7c99d2dcb 27883->27884 27890 7ff7c99d2de8 __scrt_release_startup_lock 27883->27890 27908 7ff7c99dcd90 27883->27908 27885 7ff7c99d2ecd abort 27887 7ff7c99d2e51 27912 7ff7c99d32bc 27887->27912 27889 7ff7c99d2e56 27915 7ff7c99dcd20 27889->27915 27890->27887 27995 7ff7c99dc050 35 API calls __GSHandlerCheck_EH 27890->27995 28000 7ff7c99d2fb0 27900->28000 27903 7ff7c99d282b 28002 7ff7c99dcc50 27903->28002 27904 7ff7c99d2827 27904->27878 27904->27879 27909 7ff7c99dcdcc 27908->27909 27910 7ff7c99dcdeb 27908->27910 27909->27910 28019 7ff7c99a1120 27909->28019 27910->27890 27913 7ff7c99d3cf0 __scrt_get_show_window_mode 27912->27913 27914 7ff7c99d32d3 GetStartupInfoW 27913->27914 27914->27889 28025 7ff7c99e0730 27915->28025 27917 7ff7c99dcd2f 27919 7ff7c99d2e5e 27917->27919 28029 7ff7c99e0ac0 35 API calls _snwprintf 27917->28029 27920 7ff7c99d0754 27919->27920 28031 7ff7c99bdfd0 27920->28031 27923 7ff7c99b62dc 35 API calls 27924 7ff7c99d079a 27923->27924 28108 7ff7c99c946c 27924->28108 27926 7ff7c99d07a4 __scrt_get_show_window_mode 28113 7ff7c99c9a14 27926->28113 27928 7ff7c99d0ddc 27931 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27928->27931 27929 7ff7c99d0819 27929->27928 27930 7ff7c99d096e GetCommandLineW 27929->27930 27933 7ff7c99d0980 27930->27933 27934 7ff7c99d0b42 27930->27934 27932 7ff7c99d0de2 27931->27932 27937 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27932->27937 27938 7ff7c99a129c 33 API calls 27933->27938 27935 7ff7c99b6454 34 API calls 27934->27935 27936 7ff7c99d0b51 27935->27936 27940 7ff7c99a1fa0 31 API calls 27936->27940 27943 7ff7c99d0b68 BuildCatchObjectHelperInternal 27936->27943 27948 7ff7c99d0de8 27937->27948 27939 7ff7c99d09a5 27938->27939 28123 7ff7c99ccad0 27939->28123 27940->27943 27941 7ff7c99a1fa0 31 API calls 27944 7ff7c99d0b93 SetEnvironmentVariableW GetLocalTime 27941->27944 27943->27941 27947 7ff7c99b3e28 swprintf 46 API calls 27944->27947 27945 7ff7c99d1900 _com_raise_error 14 API calls 27945->27948 27946 7ff7c99d09af 27946->27932 27950 7ff7c99d0adb 27946->27950 27951 7ff7c99d09f9 OpenFileMappingW 27946->27951 27949 7ff7c99d0c18 SetEnvironmentVariableW GetModuleHandleW LoadIconW 27947->27949 27948->27945 28154 7ff7c99cb014 LoadBitmapW 27949->28154 27959 7ff7c99a129c 33 API calls 27950->27959 27954 7ff7c99d0ad0 CloseHandle 27951->27954 27955 7ff7c99d0a19 MapViewOfFile 27951->27955 27954->27934 27955->27954 27957 7ff7c99d0a3f UnmapViewOfFile MapViewOfFile 27955->27957 27957->27954 27960 7ff7c99d0a71 27957->27960 27958 7ff7c99d0c75 28178 7ff7c99c67b4 27958->28178 27962 7ff7c99d0b00 27959->27962 28185 7ff7c99ca190 33 API calls 2 library calls 27960->28185 28141 7ff7c99cfd0c 27962->28141 27966 7ff7c99d0a81 27969 7ff7c99cfd0c 35 API calls 27966->27969 27967 7ff7c99c67b4 33 API calls 27970 7ff7c99d0c87 DialogBoxParamW 27967->27970 27971 7ff7c99d0a90 27969->27971 27978 7ff7c99d0cd3 27970->27978 28186 7ff7c99bb9b4 102 API calls 27971->28186 27973 7ff7c99d0dd7 27976 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 27973->27976 27974 7ff7c99d0aa5 28187 7ff7c99bbb00 102 API calls 27974->28187 27976->27928 27977 7ff7c99d0ab8 27981 7ff7c99d0ac7 UnmapViewOfFile 27977->27981 27979 7ff7c99d0ce6 Sleep 27978->27979 27980 7ff7c99d0cec 27978->27980 27979->27980 27982 7ff7c99d0cfa 27980->27982 28188 7ff7c99c9f4c 49 API calls 2 library calls 27980->28188 27981->27954 27984 7ff7c99d0d06 DeleteObject 27982->27984 27985 7ff7c99d0d25 27984->27985 27986 7ff7c99d0d1f DeleteObject 27984->27986 27987 7ff7c99d0d5b 27985->27987 27988 7ff7c99d0d6d 27985->27988 27986->27985 28189 7ff7c99cfe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27987->28189 28181 7ff7c99c94e4 27988->28181 27991 7ff7c99d0d60 CloseHandle 27991->27988 27995->27887 27998->27881 27999->27885 28001 7ff7c99d281e __scrt_dllmain_crt_thread_attach 28000->28001 28001->27903 28001->27904 28003 7ff7c99e0d4c 28002->28003 28004 7ff7c99d2830 28003->28004 28007 7ff7c99dec00 28003->28007 28004->27904 28006 7ff7c99d51a0 7 API calls 2 library calls 28004->28006 28006->27904 28018 7ff7c99df398 EnterCriticalSection 28007->28018 28020 7ff7c99a91c8 35 API calls 28019->28020 28021 7ff7c99a1130 28020->28021 28024 7ff7c99d29bc 34 API calls 28021->28024 28023 7ff7c99d2a01 28023->27909 28024->28023 28026 7ff7c99e0749 28025->28026 28027 7ff7c99e073d 28025->28027 28026->27917 28030 7ff7c99e0570 48 API calls 4 library calls 28027->28030 28029->27917 28030->28026 28190 7ff7c99d2450 28031->28190 28034 7ff7c99be026 GetProcAddress 28036 7ff7c99be053 GetProcAddress 28034->28036 28037 7ff7c99be03b 28034->28037 28035 7ff7c99be07b 28038 7ff7c99be503 28035->28038 28197 7ff7c99db788 39 API calls _snwprintf 28035->28197 28036->28035 28040 7ff7c99be068 28036->28040 28037->28036 28039 7ff7c99b6454 34 API calls 28038->28039 28042 7ff7c99be50c 28039->28042 28040->28035 28044 7ff7c99b7df4 47 API calls 28042->28044 28043 7ff7c99be3b0 28043->28038 28045 7ff7c99be3ba 28043->28045 28062 7ff7c99be51a 28044->28062 28046 7ff7c99b6454 34 API calls 28045->28046 28047 7ff7c99be3c3 CreateFileW 28046->28047 28048 7ff7c99be4f0 CloseHandle 28047->28048 28049 7ff7c99be403 SetFilePointer 28047->28049 28052 7ff7c99a1fa0 31 API calls 28048->28052 28049->28048 28051 7ff7c99be41c ReadFile 28049->28051 28051->28048 28053 7ff7c99be444 28051->28053 28052->28038 28054 7ff7c99be800 28053->28054 28055 7ff7c99be458 28053->28055 28206 7ff7c99d2624 8 API calls 28054->28206 28060 7ff7c99a129c 33 API calls 28055->28060 28057 7ff7c99a129c 33 API calls 28057->28062 28058 7ff7c99be805 28059 7ff7c99be53e CompareStringW 28059->28062 28073 7ff7c99be48f 28060->28073 28061 7ff7c99b8090 47 API calls 28061->28062 28062->28057 28062->28059 28062->28061 28063 7ff7c99a1fa0 31 API calls 28062->28063 28069 7ff7c99b32bc 51 API calls 28062->28069 28096 7ff7c99be5cc 28062->28096 28192 7ff7c99b51a4 28062->28192 28063->28062 28065 7ff7c99be7c2 28068 7ff7c99a1fa0 31 API calls 28065->28068 28066 7ff7c99be648 28202 7ff7c99b7eb0 47 API calls 28066->28202 28072 7ff7c99be7cb 28068->28072 28069->28062 28070 7ff7c99be4db 28074 7ff7c99a1fa0 31 API calls 28070->28074 28071 7ff7c99be651 28076 7ff7c99b51a4 9 API calls 28071->28076 28078 7ff7c99a1fa0 31 API calls 28072->28078 28073->28070 28198 7ff7c99bd0a0 28073->28198 28075 7ff7c99be4e5 28074->28075 28079 7ff7c99a1fa0 31 API calls 28075->28079 28080 7ff7c99be656 28076->28080 28077 7ff7c99a129c 33 API calls 28077->28096 28081 7ff7c99be7d5 28078->28081 28079->28048 28082 7ff7c99be706 28080->28082 28089 7ff7c99be661 28080->28089 28084 7ff7c99d2320 _handle_error 8 API calls 28081->28084 28085 7ff7c99bda98 48 API calls 28082->28085 28083 7ff7c99b8090 47 API calls 28083->28096 28086 7ff7c99be7e4 28084->28086 28087 7ff7c99be74b AllocConsole 28085->28087 28086->27923 28090 7ff7c99be6fb 28087->28090 28091 7ff7c99be755 GetCurrentProcessId AttachConsole 28087->28091 28088 7ff7c99a1fa0 31 API calls 28088->28096 28095 7ff7c99baae0 48 API calls 28089->28095 28205 7ff7c99a19e0 31 API calls _invalid_parameter_noinfo_noreturn 28090->28205 28092 7ff7c99be76c 28091->28092 28101 7ff7c99be778 GetStdHandle WriteConsoleW Sleep FreeConsole 28092->28101 28093 7ff7c99b32bc 51 API calls 28093->28096 28098 7ff7c99be6a5 28095->28098 28096->28077 28096->28083 28096->28088 28096->28093 28099 7ff7c99be63a 28096->28099 28097 7ff7c99be7b9 ExitProcess 28100 7ff7c99bda98 48 API calls 28098->28100 28099->28065 28099->28066 28102 7ff7c99be6c3 28100->28102 28101->28090 28103 7ff7c99baae0 48 API calls 28102->28103 28104 7ff7c99be6ce 28103->28104 28203 7ff7c99bdc2c 33 API calls 28104->28203 28106 7ff7c99be6da 28204 7ff7c99a19e0 31 API calls _invalid_parameter_noinfo_noreturn 28106->28204 28109 7ff7c99bdd88 28108->28109 28110 7ff7c99c9481 OleInitialize 28109->28110 28111 7ff7c99c94a7 28110->28111 28112 7ff7c99c94cd SHGetMalloc 28111->28112 28112->27926 28114 7ff7c99c9a49 28113->28114 28116 7ff7c99c9a4e BuildCatchObjectHelperInternal 28113->28116 28115 7ff7c99a1fa0 31 API calls 28114->28115 28115->28116 28117 7ff7c99a1fa0 31 API calls 28116->28117 28118 7ff7c99c9a7d BuildCatchObjectHelperInternal 28116->28118 28117->28118 28119 7ff7c99a1fa0 31 API calls 28118->28119 28121 7ff7c99c9aac BuildCatchObjectHelperInternal 28118->28121 28119->28121 28120 7ff7c99a1fa0 31 API calls 28122 7ff7c99c9adb BuildCatchObjectHelperInternal 28120->28122 28121->28120 28121->28122 28122->27929 28124 7ff7c99bd0a0 33 API calls 28123->28124 28125 7ff7c99ccb1f BuildCatchObjectHelperInternal 28124->28125 28126 7ff7c99ccd8b 28125->28126 28129 7ff7c99bd0a0 33 API calls 28125->28129 28130 7ff7c99ccde4 28125->28130 28133 7ff7c99ccde9 28125->28133 28134 7ff7c99ccdef 28125->28134 28139 7ff7c99a1fa0 31 API calls 28125->28139 28140 7ff7c99a129c 33 API calls 28125->28140 28207 7ff7c99bbb00 102 API calls 28125->28207 28127 7ff7c99ccdbe 28126->28127 28126->28130 28128 7ff7c99d2320 _handle_error 8 API calls 28127->28128 28131 7ff7c99ccdcf 28128->28131 28129->28125 28132 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 28130->28132 28131->27946 28132->28133 28208 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 28133->28208 28209 7ff7c99a704c 47 API calls BuildCatchObjectHelperInternal 28134->28209 28137 7ff7c99ccdf5 28139->28125 28140->28125 28142 7ff7c99cfd3c SetEnvironmentVariableW 28141->28142 28143 7ff7c99cfd39 28141->28143 28144 7ff7c99bd0a0 33 API calls 28142->28144 28143->28142 28152 7ff7c99cfd74 28144->28152 28145 7ff7c99cfdc3 28146 7ff7c99cfdfa 28145->28146 28148 7ff7c99cfe1b 28145->28148 28147 7ff7c99d2320 _handle_error 8 API calls 28146->28147 28149 7ff7c99cfe0b 28147->28149 28150 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 28148->28150 28149->27934 28149->27973 28151 7ff7c99cfe20 28150->28151 28152->28145 28153 7ff7c99cfdad SetEnvironmentVariableW 28152->28153 28153->28145 28155 7ff7c99cb03e 28154->28155 28156 7ff7c99cb046 28154->28156 28210 7ff7c99c8624 FindResourceExW 28155->28210 28158 7ff7c99cb063 28156->28158 28159 7ff7c99cb04e GetObjectW 28156->28159 28160 7ff7c99c849c 4 API calls 28158->28160 28159->28158 28161 7ff7c99cb078 28160->28161 28162 7ff7c99cb0ce 28161->28162 28163 7ff7c99cb09e 28161->28163 28164 7ff7c99c8624 11 API calls 28161->28164 28173 7ff7c99b98ac 28162->28173 28225 7ff7c99c8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28163->28225 28166 7ff7c99cb08a 28164->28166 28166->28163 28168 7ff7c99cb092 DeleteObject 28166->28168 28167 7ff7c99cb0a7 28169 7ff7c99c84cc 4 API calls 28167->28169 28168->28163 28170 7ff7c99cb0b2 28169->28170 28226 7ff7c99c8df4 16 API calls _handle_error 28170->28226 28172 7ff7c99cb0bf DeleteObject 28172->28162 28227 7ff7c99b98dc 28173->28227 28175 7ff7c99b98ba 28294 7ff7c99ba43c GetModuleHandleW FindResourceW 28175->28294 28177 7ff7c99b98c2 28177->27958 28179 7ff7c99d21d0 33 API calls 28178->28179 28180 7ff7c99c67fa 28179->28180 28180->27967 28182 7ff7c99c9501 28181->28182 28183 7ff7c99c950a OleUninitialize 28182->28183 28184 7ff7c9a0e330 28183->28184 28185->27966 28186->27974 28187->27977 28188->27982 28189->27991 28191 7ff7c99bdff4 GetModuleHandleW 28190->28191 28191->28034 28191->28035 28193 7ff7c99b51c8 GetVersionExW 28192->28193 28194 7ff7c99b51fb 28192->28194 28193->28194 28195 7ff7c99d2320 _handle_error 8 API calls 28194->28195 28196 7ff7c99b5228 28195->28196 28196->28062 28197->28043 28201 7ff7c99bd0d2 28198->28201 28199 7ff7c99bd106 28199->28073 28200 7ff7c99a1744 33 API calls 28200->28201 28201->28199 28201->28200 28202->28071 28203->28106 28204->28090 28205->28097 28206->28058 28207->28125 28208->28134 28209->28137 28211 7ff7c99c864f SizeofResource 28210->28211 28212 7ff7c99c879b 28210->28212 28211->28212 28213 7ff7c99c8669 LoadResource 28211->28213 28212->28156 28213->28212 28214 7ff7c99c8682 LockResource 28213->28214 28214->28212 28215 7ff7c99c8697 GlobalAlloc 28214->28215 28215->28212 28216 7ff7c99c86b8 GlobalLock 28215->28216 28217 7ff7c99c8792 GlobalFree 28216->28217 28218 7ff7c99c86ca BuildCatchObjectHelperInternal 28216->28218 28217->28212 28219 7ff7c99c86d8 CreateStreamOnHGlobal 28218->28219 28220 7ff7c99c86f6 GdipAlloc 28219->28220 28221 7ff7c99c8789 GlobalUnlock 28219->28221 28222 7ff7c99c870b 28220->28222 28221->28217 28222->28221 28223 7ff7c99c8772 28222->28223 28224 7ff7c99c875a GdipCreateHBITMAPFromBitmap 28222->28224 28223->28221 28224->28223 28225->28167 28226->28172 28230 7ff7c99b98fe _snwprintf 28227->28230 28228 7ff7c99b9973 28304 7ff7c99b68b0 48 API calls 28228->28304 28230->28228 28232 7ff7c99b9a89 28230->28232 28231 7ff7c99a1fa0 31 API calls 28234 7ff7c99b99fd 28231->28234 28232->28234 28236 7ff7c99a20b0 33 API calls 28232->28236 28233 7ff7c99b997d BuildCatchObjectHelperInternal 28233->28231 28292 7ff7c99ba42e 28233->28292 28238 7ff7c99b24c0 54 API calls 28234->28238 28235 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 28237 7ff7c99ba434 28235->28237 28236->28234 28241 7ff7c99d7904 _invalid_parameter_noinfo_noreturn 31 API calls 28237->28241 28239 7ff7c99b9a1a 28238->28239 28240 7ff7c99b9a22 28239->28240 28248 7ff7c99b9aad 28239->28248 28242 7ff7c99b204c 100 API calls 28240->28242 28244 7ff7c99ba43a 28241->28244 28245 7ff7c99b9a2b 28242->28245 28243 7ff7c99b9b17 28296 7ff7c99da450 28243->28296 28245->28237 28247 7ff7c99b9a66 28245->28247 28252 7ff7c99d2320 _handle_error 8 API calls 28247->28252 28248->28243 28249 7ff7c99b8e58 33 API calls 28248->28249 28249->28248 28251 7ff7c99da450 31 API calls 28264 7ff7c99b9b57 __vcrt_InitializeCriticalSectionEx 28251->28264 28253 7ff7c99ba40e 28252->28253 28253->28175 28254 7ff7c99b9c89 28256 7ff7c99b2aa0 101 API calls 28254->28256 28268 7ff7c99b9d5c 28254->28268 28255 7ff7c99b2bb0 101 API calls 28255->28264 28258 7ff7c99b9ca1 28256->28258 28257 7ff7c99b28d0 104 API calls 28257->28264 28259 7ff7c99b28d0 104 API calls 28258->28259 28258->28268 28265 7ff7c99b9cc9 28259->28265 28260 7ff7c99b204c 100 API calls 28262 7ff7c99ba3f5 28260->28262 28261 7ff7c99b2aa0 101 API calls 28261->28264 28263 7ff7c99a1fa0 31 API calls 28262->28263 28263->28247 28264->28254 28264->28255 28264->28257 28264->28261 28264->28268 28267 7ff7c99b9cd7 __vcrt_InitializeCriticalSectionEx 28265->28267 28265->28268 28305 7ff7c99c0bbc MultiByteToWideChar 28265->28305 28267->28268 28269 7ff7c99ba1ec 28267->28269 28271 7ff7c99ba157 28267->28271 28274 7ff7c99ba14b 28267->28274 28287 7ff7c99c0f68 WideCharToMultiByte 28267->28287 28289 7ff7c99ba429 28267->28289 28306 7ff7c99baa88 45 API calls _snwprintf 28267->28306 28307 7ff7c99da270 31 API calls 2 library calls 28267->28307 28268->28260 28280 7ff7c99ba2c2 28269->28280 28311 7ff7c99dcf90 31 API calls 2 library calls 28269->28311 28271->28269 28308 7ff7c99dcf90 31 API calls 2 library calls 28271->28308 28274->28175 28275 7ff7c99ba2ae 28275->28280 28313 7ff7c99b8cd0 33 API calls 2 library calls 28275->28313 28276 7ff7c99ba3a2 28277 7ff7c99da450 31 API calls 28276->28277 28279 7ff7c99ba3cb 28277->28279 28283 7ff7c99da450 31 API calls 28279->28283 28280->28276 28285 7ff7c99b8e58 33 API calls 28280->28285 28281 7ff7c99ba249 28312 7ff7c99db7bc 31 API calls _invalid_parameter_noinfo_noreturn 28281->28312 28282 7ff7c99ba16d 28309 7ff7c99db7bc 31 API calls _invalid_parameter_noinfo_noreturn 28282->28309 28283->28268 28285->28280 28286 7ff7c99ba1d8 28286->28269 28310 7ff7c99b8cd0 33 API calls 2 library calls 28286->28310 28287->28267 28314 7ff7c99d2624 8 API calls 28289->28314 28292->28235 28295 7ff7c99ba468 28294->28295 28295->28177 28297 7ff7c99da47d 28296->28297 28303 7ff7c99da492 28297->28303 28315 7ff7c99dd69c 15 API calls abort 28297->28315 28299 7ff7c99da487 28316 7ff7c99d78e4 31 API calls _invalid_parameter_noinfo_noreturn 28299->28316 28300 7ff7c99d2320 _handle_error 8 API calls 28302 7ff7c99b9b37 28300->28302 28302->28251 28303->28300 28304->28233 28305->28267 28306->28267 28307->28267 28308->28282 28309->28286 28310->28269 28311->28281 28312->28275 28313->28280 28314->28292 28315->28299 28316->28303

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 00007FF7C99CB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                                                                                                                                                                        • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                                                                                                                                                        • API String ID: 255727823-2702805183
                                                                                                                                                                                                                        • Opcode ID: e5fb430667728f95dc108dbc90c1f453d2168efe69669e82241350e9cacaa09f
                                                                                                                                                                                                                        • Instruction ID: 91dc3fb1b6d049ca0c153a1b15972959f7104b390bac41c8213b38e1c987b1a0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5fb430667728f95dc108dbc90c1f453d2168efe69669e82241350e9cacaa09f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65D29062A0868281EBA0BF25EC546B9FF71EFC67A0FD05531D94D076A5EE3CE544CB20
                                                                                                                                                                                                                        Function 00007FF7C99CCE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                                                                                                                                                                        • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                                                                                                                                                        • API String ID: 3007431893-3916287355
                                                                                                                                                                                                                        • Opcode ID: 01475848ce634a14826cd04c53170e3b16a21078ef098113d3159c7b50329371
                                                                                                                                                                                                                        • Instruction ID: 3bc5af3638eb89012eeff31e71f5265db648b8802e283350d540de3f60b34c1e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01475848ce634a14826cd04c53170e3b16a21078ef098113d3159c7b50329371
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2813B372B0478299EB90EF64D8442EC7BB1EB807A8FD01535DA5D17AE9DF38E584C360
                                                                                                                                                                                                                        Function 00007FF7C99D0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 1466 7ff7c99d0754-7ff7c99d0829 call 7ff7c99bdfd0 call 7ff7c99b62dc call 7ff7c99c946c call 7ff7c99d3cf0 call 7ff7c99c9a14 1477 7ff7c99d0860-7ff7c99d0883 1466->1477 1478 7ff7c99d082b-7ff7c99d0840 1466->1478 1481 7ff7c99d0885-7ff7c99d089a 1477->1481 1482 7ff7c99d08ba-7ff7c99d08dd 1477->1482 1479 7ff7c99d0842-7ff7c99d0855 1478->1479 1480 7ff7c99d085b call 7ff7c99d220c 1478->1480 1479->1480 1485 7ff7c99d0ddd-7ff7c99d0de2 call 7ff7c99d7904 1479->1485 1480->1477 1487 7ff7c99d08b5 call 7ff7c99d220c 1481->1487 1488 7ff7c99d089c-7ff7c99d08af 1481->1488 1483 7ff7c99d0914-7ff7c99d0937 1482->1483 1484 7ff7c99d08df-7ff7c99d08f4 1482->1484 1492 7ff7c99d096e-7ff7c99d097a GetCommandLineW 1483->1492 1493 7ff7c99d0939-7ff7c99d094e 1483->1493 1490 7ff7c99d08f6-7ff7c99d0909 1484->1490 1491 7ff7c99d090f call 7ff7c99d220c 1484->1491 1503 7ff7c99d0de3-7ff7c99d0df0 call 7ff7c99d7904 1485->1503 1487->1482 1488->1485 1488->1487 1490->1485 1490->1491 1491->1483 1499 7ff7c99d0980-7ff7c99d09b7 call 7ff7c99d797c call 7ff7c99a129c call 7ff7c99ccad0 1492->1499 1500 7ff7c99d0b47-7ff7c99d0b5e call 7ff7c99b6454 1492->1500 1496 7ff7c99d0950-7ff7c99d0963 1493->1496 1497 7ff7c99d0969 call 7ff7c99d220c 1493->1497 1496->1485 1496->1497 1497->1492 1525 7ff7c99d09ec-7ff7c99d09f3 1499->1525 1526 7ff7c99d09b9-7ff7c99d09cc 1499->1526 1508 7ff7c99d0b60-7ff7c99d0b85 call 7ff7c99a1fa0 call 7ff7c99d3640 1500->1508 1509 7ff7c99d0b89-7ff7c99d0ce4 call 7ff7c99a1fa0 SetEnvironmentVariableW GetLocalTime call 7ff7c99b3e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff7c99cb014 call 7ff7c99b98ac call 7ff7c99c67b4 * 2 DialogBoxParamW call 7ff7c99c68a8 * 2 1500->1509 1515 7ff7c99d0df5-7ff7c99d0e2f call 7ff7c99d1900 1503->1515 1508->1509 1573 7ff7c99d0ce6 Sleep 1509->1573 1574 7ff7c99d0cec-7ff7c99d0cf3 1509->1574 1523 7ff7c99d0e34-7ff7c99d0ed5 1515->1523 1523->1515 1531 7ff7c99d0adb-7ff7c99d0b05 call 7ff7c99d797c call 7ff7c99a129c call 7ff7c99cfd0c 1525->1531 1532 7ff7c99d09f9-7ff7c99d0a13 OpenFileMappingW 1525->1532 1529 7ff7c99d09ce-7ff7c99d09e1 1526->1529 1530 7ff7c99d09e7 call 7ff7c99d220c 1526->1530 1529->1503 1529->1530 1530->1525 1553 7ff7c99d0b0a-7ff7c99d0b12 1531->1553 1538 7ff7c99d0ad0-7ff7c99d0ad9 CloseHandle 1532->1538 1539 7ff7c99d0a19-7ff7c99d0a39 MapViewOfFile 1532->1539 1538->1500 1539->1538 1542 7ff7c99d0a3f-7ff7c99d0a6f UnmapViewOfFile MapViewOfFile 1539->1542 1542->1538 1545 7ff7c99d0a71-7ff7c99d0aca call 7ff7c99ca190 call 7ff7c99cfd0c call 7ff7c99bb9b4 call 7ff7c99bbb00 call 7ff7c99bbb70 UnmapViewOfFile 1542->1545 1545->1538 1553->1500 1556 7ff7c99d0b14-7ff7c99d0b27 1553->1556 1560 7ff7c99d0b42 call 7ff7c99d220c 1556->1560 1561 7ff7c99d0b29-7ff7c99d0b3c 1556->1561 1560->1500 1561->1560 1562 7ff7c99d0dd7-7ff7c99d0ddc call 7ff7c99d7904 1561->1562 1562->1485 1573->1574 1576 7ff7c99d0cf5 call 7ff7c99c9f4c 1574->1576 1577 7ff7c99d0cfa-7ff7c99d0d1d call 7ff7c99bb8e0 DeleteObject 1574->1577 1576->1577 1581 7ff7c99d0d25-7ff7c99d0d2c 1577->1581 1582 7ff7c99d0d1f DeleteObject 1577->1582 1583 7ff7c99d0d2e-7ff7c99d0d35 1581->1583 1584 7ff7c99d0d48-7ff7c99d0d59 1581->1584 1582->1581 1583->1584 1585 7ff7c99d0d37-7ff7c99d0d43 call 7ff7c99aba0c 1583->1585 1586 7ff7c99d0d5b-7ff7c99d0d67 call 7ff7c99cfe24 CloseHandle 1584->1586 1587 7ff7c99d0d6d-7ff7c99d0d7a 1584->1587 1585->1584 1586->1587 1590 7ff7c99d0d9f-7ff7c99d0da4 call 7ff7c99c94e4 1587->1590 1591 7ff7c99d0d7c-7ff7c99d0d89 1587->1591 1597 7ff7c99d0da9-7ff7c99d0dd6 call 7ff7c99d2320 1590->1597 1594 7ff7c99d0d8b-7ff7c99d0d93 1591->1594 1595 7ff7c99d0d99-7ff7c99d0d9b 1591->1595 1594->1590 1598 7ff7c99d0d95-7ff7c99d0d97 1594->1598 1595->1590 1596 7ff7c99d0d9d 1595->1596 1596->1590 1598->1590
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                                                                                                                                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                                                                                        • API String ID: 1048086575-3710569615
                                                                                                                                                                                                                        • Opcode ID: fcdfd6d8174970b9a236f1ff0dd38d9f465d88258eb4dfcd8f653860d12c6cc7
                                                                                                                                                                                                                        • Instruction ID: 76aa6a16709bcdcf40f367e3bb26c852d5e8b9f7d3fbc7020f203ae1fee9ca06
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fcdfd6d8174970b9a236f1ff0dd38d9f465d88258eb4dfcd8f653860d12c6cc7
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42127662A0878285EB90AF25E84527DFB71FFC57A4F805131DA9D47AA5DF3CE140C720
                                                                                                                                                                                                                        Function 00007FF7C99BA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                                                                                                                                                                        • String ID: $%s:$CAPTION
                                                                                                                                                                                                                        • API String ID: 2100155373-404845831
                                                                                                                                                                                                                        • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                                                                                                                                                        • Instruction ID: 6188d4b4c2a65839a4394e903f923f32112dfab9eada3aa265484d337704ab42
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D91D532A1864186E798AF39A80066DFBB1FBC8794F945535EE4E47B58DE3CE805CB10
                                                                                                                                                                                                                        Function 00007FF7C99C8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                                                                                                                        • String ID: PNG
                                                                                                                                                                                                                        • API String ID: 211097158-364855578
                                                                                                                                                                                                                        • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                                                                                                                                                        • Instruction ID: cec6d2b445a851b347b9f1467aef74af79eb6b2481462bc38318f1a405eac10c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0410B25A19A0282EF84AF679854379ABB4AFC8BE4F844475CA0D47364EE7CE449C720
                                                                                                                                                                                                                        Function 00007FF7C99AF930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID: __tmp_reference_source_
                                                                                                                                                                                                                        • API String ID: 3668304517-685763994
                                                                                                                                                                                                                        • Opcode ID: f93a5901f091a80e527cf63f7fd92bb3ffac14f30fe3de6cd4a58ad4180e2ab3
                                                                                                                                                                                                                        • Instruction ID: 7e8407c6e77d05a4503745baa0a80205de145eeed5bfb6da9ee55ad95d7b3413
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f93a5901f091a80e527cf63f7fd92bb3ffac14f30fe3de6cd4a58ad4180e2ab3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45E28362A086C292EBB4AF65D1443AEEB71FBC17A4F804132DB9D036A5CF3CE554C724
                                                                                                                                                                                                                        Function 00007FF7C99A4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID: CMT
                                                                                                                                                                                                                        • API String ID: 3668304517-2756464174
                                                                                                                                                                                                                        • Opcode ID: f3c9c95c157df1c99ad266365504da1f39fa52ba75423407634179f88c0c16ad
                                                                                                                                                                                                                        • Instruction ID: 1d627b2d98d25cf15aeadb9573940d2d121de5ee5fe09ce7e2c911084a6fde16
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3c9c95c157df1c99ad266365504da1f39fa52ba75423407634179f88c0c16ad
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76E2F422B0868286EBA4EF75D5502FDEBB1FB857A4F840035DA9E47696DF3CE054C321
                                                                                                                                                                                                                        Function 00007FF7C99B40BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 3477 7ff7c99b40bc-7ff7c99b40f3 3478 7ff7c99b41d2-7ff7c99b41df FindNextFileW 3477->3478 3479 7ff7c99b40f9-7ff7c99b4101 3477->3479 3482 7ff7c99b41e1-7ff7c99b41f1 GetLastError 3478->3482 3483 7ff7c99b41f3-7ff7c99b41f6 3478->3483 3480 7ff7c99b4106-7ff7c99b4118 FindFirstFileW 3479->3480 3481 7ff7c99b4103 3479->3481 3480->3483 3484 7ff7c99b411e-7ff7c99b4146 call 7ff7c99b6a0c 3480->3484 3481->3480 3485 7ff7c99b41ca-7ff7c99b41cd 3482->3485 3486 7ff7c99b4211-7ff7c99b4253 call 7ff7c99d797c call 7ff7c99a129c call 7ff7c99b8090 3483->3486 3487 7ff7c99b41f8-7ff7c99b4200 3483->3487 3497 7ff7c99b4167-7ff7c99b4170 3484->3497 3498 7ff7c99b4148-7ff7c99b4164 FindFirstFileW 3484->3498 3488 7ff7c99b42eb-7ff7c99b430e call 7ff7c99d2320 3485->3488 3513 7ff7c99b4255-7ff7c99b426c 3486->3513 3514 7ff7c99b428c-7ff7c99b42e6 call 7ff7c99bf168 * 3 3486->3514 3490 7ff7c99b4202 3487->3490 3491 7ff7c99b4205-7ff7c99b420c call 7ff7c99a20b0 3487->3491 3490->3491 3491->3486 3501 7ff7c99b4172-7ff7c99b4189 3497->3501 3502 7ff7c99b41a9-7ff7c99b41ad 3497->3502 3498->3497 3506 7ff7c99b41a4 call 7ff7c99d220c 3501->3506 3507 7ff7c99b418b-7ff7c99b419e 3501->3507 3502->3483 3504 7ff7c99b41af-7ff7c99b41be GetLastError 3502->3504 3508 7ff7c99b41c0-7ff7c99b41c6 3504->3508 3509 7ff7c99b41c8 3504->3509 3506->3502 3507->3506 3511 7ff7c99b4315-7ff7c99b431b call 7ff7c99d7904 3507->3511 3508->3485 3508->3509 3509->3485 3516 7ff7c99b4287 call 7ff7c99d220c 3513->3516 3517 7ff7c99b426e-7ff7c99b4281 3513->3517 3514->3488 3516->3514 3517->3516 3520 7ff7c99b430f-7ff7c99b4314 call 7ff7c99d7904 3517->3520 3520->3511
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 474548282-0
                                                                                                                                                                                                                        • Opcode ID: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                                                                                                                                                                        • Instruction ID: b636778bc37e3feeb860f5fd15a6bca11a928d4e4d3c0f47340126a0b9d33c1e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E61A372A08A4681DB60AF25E8842ADA771FBD5BB4F904331EEAD076D9DF3CD584C710
                                                                                                                                                                                                                        Function 00007FF7C99A5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 3614 7ff7c99a5e24-7ff7c99a6129 call 7ff7c99b833c call 7ff7c99b85f0 3620 7ff7c99a612e-7ff7c99a6132 3614->3620 3621 7ff7c99a6141-7ff7c99a6171 call 7ff7c99b83d8 call 7ff7c99b8570 call 7ff7c99b8528 3620->3621 3622 7ff7c99a6134-7ff7c99a613c call 7ff7c99a6fcc 3620->3622 3640 7ff7c99a6973-7ff7c99a6976 call 7ff7c99a466c 3621->3640 3641 7ff7c99a6177-7ff7c99a6179 3621->3641 3627 7ff7c99a697b 3622->3627 3629 7ff7c99a697e-7ff7c99a6985 3627->3629 3631 7ff7c99a69b4-7ff7c99a69e3 call 7ff7c99d2320 3629->3631 3632 7ff7c99a6987-7ff7c99a6998 3629->3632 3634 7ff7c99a69af call 7ff7c99d220c 3632->3634 3635 7ff7c99a699a-7ff7c99a69ad 3632->3635 3634->3631 3635->3634 3638 7ff7c99a69e4-7ff7c99a69e9 call 7ff7c99d7904 3635->3638 3649 7ff7c99a69ea-7ff7c99a69ef call 7ff7c99d7904 3638->3649 3640->3627 3641->3640 3645 7ff7c99a617f-7ff7c99a6189 3641->3645 3645->3640 3646 7ff7c99a618f-7ff7c99a6192 3645->3646 3646->3640 3648 7ff7c99a6198-7ff7c99a61aa call 7ff7c99b85f0 3646->3648 3648->3622 3654 7ff7c99a61ac-7ff7c99a61fd call 7ff7c99b84f8 call 7ff7c99b8528 * 2 3648->3654 3655 7ff7c99a69f0-7ff7c99a69f7 call 7ff7c99d7904 3649->3655 3664 7ff7c99a623f-7ff7c99a6249 3654->3664 3665 7ff7c99a61ff-7ff7c99a6222 call 7ff7c99a466c call 7ff7c99aba0c 3654->3665 3666 7ff7c99a6266-7ff7c99a6270 3664->3666 3667 7ff7c99a624b-7ff7c99a6260 call 7ff7c99b8528 3664->3667 3665->3664 3680 7ff7c99a6224-7ff7c99a622e call 7ff7c99a433c 3665->3680 3670 7ff7c99a6272-7ff7c99a627b call 7ff7c99b8528 3666->3670 3671 7ff7c99a627e-7ff7c99a6296 call 7ff7c99a334c 3666->3671 3667->3640 3667->3666 3670->3671 3681 7ff7c99a62b3 3671->3681 3682 7ff7c99a6298-7ff7c99a629b 3671->3682 3680->3664 3683 7ff7c99a62b6-7ff7c99a62c8 3681->3683 3682->3681 3685 7ff7c99a629d-7ff7c99a62b1 3682->3685 3686 7ff7c99a68b7-7ff7c99a6929 call 7ff7c99b4d04 call 7ff7c99b8528 3683->3686 3687 7ff7c99a62ce-7ff7c99a62d1 3683->3687 3685->3681 3685->3683 3706 7ff7c99a6936 3686->3706 3707 7ff7c99a692b-7ff7c99a6934 call 7ff7c99b8528 3686->3707 3688 7ff7c99a6481-7ff7c99a64f4 call 7ff7c99b4c74 call 7ff7c99b8528 * 2 3687->3688 3689 7ff7c99a62d7-7ff7c99a62da 3687->3689 3721 7ff7c99a64f6-7ff7c99a6500 3688->3721 3722 7ff7c99a6507-7ff7c99a6533 call 7ff7c99b8528 3688->3722 3689->3688 3691 7ff7c99a62e0-7ff7c99a62e3 3689->3691 3694 7ff7c99a62e5-7ff7c99a62e8 3691->3694 3695 7ff7c99a632e-7ff7c99a6353 call 7ff7c99b8528 3691->3695 3698 7ff7c99a62ee-7ff7c99a6329 call 7ff7c99b8528 3694->3698 3699 7ff7c99a696d-7ff7c99a6971 3694->3699 3710 7ff7c99a6355-7ff7c99a638f call 7ff7c99a4228 call 7ff7c99a3c84 call 7ff7c99a701c call 7ff7c99a1fa0 3695->3710 3711 7ff7c99a639e-7ff7c99a63c5 call 7ff7c99b8528 call 7ff7c99b8384 3695->3711 3698->3699 3699->3629 3713 7ff7c99a6939-7ff7c99a6946 3706->3713 3707->3713 3758 7ff7c99a6390-7ff7c99a6399 call 7ff7c99a1fa0 3710->3758 3734 7ff7c99a6402-7ff7c99a641f call 7ff7c99b8444 3711->3734 3735 7ff7c99a63c7-7ff7c99a6400 call 7ff7c99a4228 call 7ff7c99a3c84 call 7ff7c99a701c call 7ff7c99a1fa0 3711->3735 3718 7ff7c99a6948-7ff7c99a694a 3713->3718 3719 7ff7c99a694c 3713->3719 3718->3719 3720 7ff7c99a694f-7ff7c99a6959 3718->3720 3719->3720 3720->3699 3725 7ff7c99a695b-7ff7c99a6968 call 7ff7c99a4840 3720->3725 3721->3722 3736 7ff7c99a6535-7ff7c99a6544 call 7ff7c99b83d8 call 7ff7c99bf134 3722->3736 3737 7ff7c99a6549-7ff7c99a6557 3722->3737 3725->3699 3755 7ff7c99a6421-7ff7c99a646f call 7ff7c99b8444 * 2 call 7ff7c99bc800 call 7ff7c99d4a70 3734->3755 3756 7ff7c99a6475-7ff7c99a647c 3734->3756 3735->3758 3736->3737 3739 7ff7c99a6572-7ff7c99a6595 call 7ff7c99b8528 3737->3739 3740 7ff7c99a6559-7ff7c99a656c call 7ff7c99b83d8 3737->3740 3759 7ff7c99a65a0-7ff7c99a65b0 3739->3759 3760 7ff7c99a6597-7ff7c99a659e 3739->3760 3740->3739 3755->3756 3756->3699 3758->3711 3764 7ff7c99a65b3-7ff7c99a65eb call 7ff7c99b8528 * 2 3759->3764 3760->3764 3778 7ff7c99a65f6-7ff7c99a65fa 3764->3778 3779 7ff7c99a65ed-7ff7c99a65f4 3764->3779 3781 7ff7c99a6603-7ff7c99a6632 3778->3781 3783 7ff7c99a65fc 3778->3783 3779->3781 3784 7ff7c99a663f 3781->3784 3785 7ff7c99a6634-7ff7c99a6638 3781->3785 3783->3781 3787 7ff7c99a6641-7ff7c99a6656 3784->3787 3785->3784 3786 7ff7c99a663a-7ff7c99a663d 3785->3786 3786->3787 3788 7ff7c99a6658-7ff7c99a665b 3787->3788 3789 7ff7c99a66ca 3787->3789 3788->3789 3790 7ff7c99a665d-7ff7c99a6683 3788->3790 3791 7ff7c99a66d2-7ff7c99a6731 call 7ff7c99a3d00 call 7ff7c99b8444 call 7ff7c99c0d54 3789->3791 3790->3791 3793 7ff7c99a6685-7ff7c99a66a9 3790->3793 3802 7ff7c99a6733-7ff7c99a6740 call 7ff7c99a4840 3791->3802 3803 7ff7c99a6745-7ff7c99a6749 3791->3803 3795 7ff7c99a66b2-7ff7c99a66bf 3793->3795 3796 7ff7c99a66ab 3793->3796 3795->3791 3798 7ff7c99a66c1-7ff7c99a66c8 3795->3798 3796->3795 3798->3791 3802->3803 3805 7ff7c99a675b-7ff7c99a6772 call 7ff7c99d797c 3803->3805 3806 7ff7c99a674b-7ff7c99a6756 call 7ff7c99a473c 3803->3806 3812 7ff7c99a6774 3805->3812 3813 7ff7c99a6777-7ff7c99a677e 3805->3813 3811 7ff7c99a6859-7ff7c99a6860 3806->3811 3816 7ff7c99a6862-7ff7c99a6872 call 7ff7c99a433c 3811->3816 3817 7ff7c99a6873-7ff7c99a687b 3811->3817 3812->3813 3814 7ff7c99a6780-7ff7c99a6783 3813->3814 3815 7ff7c99a67a3-7ff7c99a67ba call 7ff7c99d797c 3813->3815 3819 7ff7c99a6785 3814->3819 3820 7ff7c99a679c 3814->3820 3830 7ff7c99a67bf-7ff7c99a67c6 3815->3830 3831 7ff7c99a67bc 3815->3831 3816->3817 3817->3699 3818 7ff7c99a6881-7ff7c99a6892 3817->3818 3823 7ff7c99a6894-7ff7c99a68a7 3818->3823 3824 7ff7c99a68ad-7ff7c99a68b2 call 7ff7c99d220c 3818->3824 3825 7ff7c99a6788-7ff7c99a6791 3819->3825 3820->3815 3823->3655 3823->3824 3824->3699 3825->3815 3829 7ff7c99a6793-7ff7c99a679a 3825->3829 3829->3820 3829->3825 3830->3811 3833 7ff7c99a67cc-7ff7c99a67cf 3830->3833 3831->3830 3834 7ff7c99a67d1 3833->3834 3835 7ff7c99a67e8-7ff7c99a67f0 3833->3835 3837 7ff7c99a67d4-7ff7c99a67dd 3834->3837 3835->3811 3836 7ff7c99a67f2-7ff7c99a6826 call 7ff7c99b8360 call 7ff7c99b8598 call 7ff7c99b8528 3835->3836 3836->3811 3845 7ff7c99a6828-7ff7c99a6839 3836->3845 3837->3811 3839 7ff7c99a67df-7ff7c99a67e6 3837->3839 3839->3835 3839->3837 3846 7ff7c99a6854 call 7ff7c99d220c 3845->3846 3847 7ff7c99a683b-7ff7c99a684e 3845->3847 3846->3811 3847->3649 3847->3846
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: CMT
                                                                                                                                                                                                                        • API String ID: 0-2756464174
                                                                                                                                                                                                                        • Opcode ID: 1483503f4f6562bc116dab0f55c891e212737330d95d7192c6dc5e801ab4a3f4
                                                                                                                                                                                                                        • Instruction ID: bcb3c9b294c4187b382f75c744c4a25e8da274c74efcf055675db77dabedc73e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1483503f4f6562bc116dab0f55c891e212737330d95d7192c6dc5e801ab4a3f4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4142D222B086819AEB98EF75C1502FDBBB1EB95764F800135DB9E53696DF3CE518C320
                                                                                                                                                                                                                        Function 00007FF7C99C1F20 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
                                                                                                                                                                                                                        • Instruction ID: 984bc524204596037e6a3706a88f5fb7df7abd692f2481abf966913d99e6fedd
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CAE1F722B082828BFBB4EF29984427DBFA1FB84798F854135DB4E57785DE3CE5418B14
                                                                                                                                                                                                                        Function 00007FF7C99C3484 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 53555d60e433f5a3dc88a335546444deb1b2c319cd0ac3813d1caa597a53afb2
                                                                                                                                                                                                                        • Instruction ID: 04fd18485a12f5f3212b38d879237ef13b50793ef14cf05d286acc62d52b3660
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53555d60e433f5a3dc88a335546444deb1b2c319cd0ac3813d1caa597a53afb2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A8B1EFA2B047C992DF98EF66DA096E9A7A5B784BD4F848032DE0D07B40DF3CE155C710
                                                                                                                                                                                                                        Function 00007FF7C99B4928 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3340455307-0
                                                                                                                                                                                                                        • Opcode ID: 70d0a199513ddd0303306b6c1f9c9cd84068436a56a79b22c40158a956f58a9a
                                                                                                                                                                                                                        • Instruction ID: 02abfaa024e4d4d70eea59a19a1b63bf8c7e62ae95c898a9d4ded78d666772ca
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70d0a199513ddd0303306b6c1f9c9cd84068436a56a79b22c40158a956f58a9a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9413832B1569286FBB4EF26E94476AAB62FBC4B94F848030DE0D07795CE3CE442C354
                                                                                                                                                                                                                        Function 00007FF7C99BDFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 0 7ff7c99bdfd0-7ff7c99be024 call 7ff7c99d2450 GetModuleHandleW 3 7ff7c99be026-7ff7c99be039 GetProcAddress 0->3 4 7ff7c99be07b-7ff7c99be3a5 0->4 5 7ff7c99be053-7ff7c99be066 GetProcAddress 3->5 6 7ff7c99be03b-7ff7c99be04a 3->6 7 7ff7c99be503-7ff7c99be521 call 7ff7c99b6454 call 7ff7c99b7df4 4->7 8 7ff7c99be3ab-7ff7c99be3b4 call 7ff7c99db788 4->8 5->4 10 7ff7c99be068-7ff7c99be078 5->10 6->5 20 7ff7c99be525-7ff7c99be52f call 7ff7c99b51a4 7->20 8->7 16 7ff7c99be3ba-7ff7c99be3fd call 7ff7c99b6454 CreateFileW 8->16 10->4 21 7ff7c99be4f0-7ff7c99be4fe CloseHandle call 7ff7c99a1fa0 16->21 22 7ff7c99be403-7ff7c99be416 SetFilePointer 16->22 28 7ff7c99be531-7ff7c99be53c call 7ff7c99bdd88 20->28 29 7ff7c99be564-7ff7c99be5ac call 7ff7c99d797c call 7ff7c99a129c call 7ff7c99b8090 call 7ff7c99a1fa0 call 7ff7c99b32bc 20->29 21->7 22->21 24 7ff7c99be41c-7ff7c99be43e ReadFile 22->24 24->21 27 7ff7c99be444-7ff7c99be452 24->27 31 7ff7c99be800-7ff7c99be807 call 7ff7c99d2624 27->31 32 7ff7c99be458-7ff7c99be4ac call 7ff7c99d797c call 7ff7c99a129c 27->32 28->29 41 7ff7c99be53e-7ff7c99be562 CompareStringW 28->41 69 7ff7c99be5b1-7ff7c99be5b4 29->69 49 7ff7c99be4c3-7ff7c99be4d9 call 7ff7c99bd0a0 32->49 41->29 42 7ff7c99be5bd-7ff7c99be5c6 41->42 42->20 47 7ff7c99be5cc 42->47 50 7ff7c99be5d1-7ff7c99be5d4 47->50 64 7ff7c99be4ae-7ff7c99be4be call 7ff7c99bdd88 49->64 65 7ff7c99be4db-7ff7c99be4eb call 7ff7c99a1fa0 * 2 49->65 51 7ff7c99be63f-7ff7c99be642 50->51 52 7ff7c99be5d6-7ff7c99be5d9 50->52 55 7ff7c99be7c2-7ff7c99be7ff call 7ff7c99a1fa0 * 2 call 7ff7c99d2320 51->55 56 7ff7c99be648-7ff7c99be65b call 7ff7c99b7eb0 call 7ff7c99b51a4 51->56 57 7ff7c99be5dd-7ff7c99be62d call 7ff7c99d797c call 7ff7c99a129c call 7ff7c99b8090 call 7ff7c99a1fa0 call 7ff7c99b32bc 52->57 82 7ff7c99be661-7ff7c99be701 call 7ff7c99bdd88 * 2 call 7ff7c99baae0 call 7ff7c99bda98 call 7ff7c99baae0 call 7ff7c99bdc2c call 7ff7c99c87ac call 7ff7c99a19e0 56->82 83 7ff7c99be706-7ff7c99be753 call 7ff7c99bda98 AllocConsole 56->83 108 7ff7c99be62f-7ff7c99be638 57->108 109 7ff7c99be63c 57->109 64->49 65->21 76 7ff7c99be5b6 69->76 77 7ff7c99be5ce 69->77 76->42 77->50 100 7ff7c99be7b4-7ff7c99be7bb call 7ff7c99a19e0 ExitProcess 82->100 94 7ff7c99be7b0 83->94 95 7ff7c99be755-7ff7c99be7aa GetCurrentProcessId AttachConsole call 7ff7c99be868 call 7ff7c99be858 GetStdHandle WriteConsoleW Sleep FreeConsole 83->95 94->100 95->94 108->57 112 7ff7c99be63a 108->112 109->51 112->51
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                                                                                                                                                                        • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                                                                                                                                                        • API String ID: 1496594111-2013832382
                                                                                                                                                                                                                        • Opcode ID: 652c747d7e630e86415ee3ad066f254a367a94a472fe2acd263d178260856de2
                                                                                                                                                                                                                        • Instruction ID: aa114c5e978f540241b16b79c55d7f12e4ef38d8989d8862f06f68b7a4523cee
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 652c747d7e630e86415ee3ad066f254a367a94a472fe2acd263d178260856de2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50321D35A09F8299EBA1AF64E8401E9B7B8FF84364FD00236DA4D06765EF3CD655C360
                                                                                                                                                                                                                        Function 00007FF7C99B98DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B8E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C99B8F8D
                                                                                                                                                                                                                        • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C99B9F75
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99BA42F
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99BA435
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99C0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7C99C0B44), ref: 00007FF7C99C0BE9
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                                                                                                                                                        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                                                                                                                                                        • API String ID: 3629253777-3268106645
                                                                                                                                                                                                                        • Opcode ID: 3b26f4d226c81ed995e550c10dd8d2e0a3396c4394cac7f732fcd1ca91b42b00
                                                                                                                                                                                                                        • Instruction ID: baccd5c9e62e43330c3207baf9c931d2926b839f23170ec5eb2f9156433f3b50
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b26f4d226c81ed995e550c10dd8d2e0a3396c4394cac7f732fcd1ca91b42b00
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1762A022A1968285EBA0EF25C4882BDFBB1FB957A8FC04131DE4D47695EF3DE544C360
                                                                                                                                                                                                                        Function 00007FF7C99D1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 1911 7ff7c99d1900-7ff7c99d1989 call 7ff7c99d1558 1914 7ff7c99d19b4-7ff7c99d19d1 1911->1914 1915 7ff7c99d198b-7ff7c99d19af call 7ff7c99d1868 RaiseException 1911->1915 1917 7ff7c99d19d3-7ff7c99d19e4 1914->1917 1918 7ff7c99d19e6-7ff7c99d19ea 1914->1918 1923 7ff7c99d1bb8-7ff7c99d1bd5 1915->1923 1919 7ff7c99d19ed-7ff7c99d19f9 1917->1919 1918->1919 1921 7ff7c99d19fb-7ff7c99d1a0d 1919->1921 1922 7ff7c99d1a1a-7ff7c99d1a1d 1919->1922 1931 7ff7c99d1a13 1921->1931 1932 7ff7c99d1b89-7ff7c99d1b93 1921->1932 1924 7ff7c99d1a23-7ff7c99d1a26 1922->1924 1925 7ff7c99d1ac4-7ff7c99d1acb 1922->1925 1929 7ff7c99d1a3d-7ff7c99d1a52 LoadLibraryExA 1924->1929 1930 7ff7c99d1a28-7ff7c99d1a3b 1924->1930 1927 7ff7c99d1adf-7ff7c99d1ae2 1925->1927 1928 7ff7c99d1acd-7ff7c99d1adc 1925->1928 1933 7ff7c99d1b85 1927->1933 1934 7ff7c99d1ae8-7ff7c99d1aec 1927->1934 1928->1927 1935 7ff7c99d1a54-7ff7c99d1a67 GetLastError 1929->1935 1936 7ff7c99d1aa9-7ff7c99d1ab2 1929->1936 1930->1929 1930->1936 1931->1922 1943 7ff7c99d1b95-7ff7c99d1ba6 1932->1943 1944 7ff7c99d1bb0 call 7ff7c99d1868 1932->1944 1933->1932 1941 7ff7c99d1b1b-7ff7c99d1b2e GetProcAddress 1934->1941 1942 7ff7c99d1aee-7ff7c99d1af2 1934->1942 1945 7ff7c99d1a7e-7ff7c99d1aa4 call 7ff7c99d1868 RaiseException 1935->1945 1946 7ff7c99d1a69-7ff7c99d1a7c 1935->1946 1937 7ff7c99d1ab4-7ff7c99d1ab7 FreeLibrary 1936->1937 1938 7ff7c99d1abd 1936->1938 1937->1938 1938->1925 1941->1933 1949 7ff7c99d1b30-7ff7c99d1b43 GetLastError 1941->1949 1942->1941 1950 7ff7c99d1af4-7ff7c99d1aff 1942->1950 1943->1944 1951 7ff7c99d1bb5 1944->1951 1945->1923 1946->1936 1946->1945 1953 7ff7c99d1b45-7ff7c99d1b58 1949->1953 1954 7ff7c99d1b5a-7ff7c99d1b81 call 7ff7c99d1868 RaiseException call 7ff7c99d1558 1949->1954 1950->1941 1955 7ff7c99d1b01-7ff7c99d1b08 1950->1955 1951->1923 1953->1933 1953->1954 1954->1933 1955->1941 1958 7ff7c99d1b0a-7ff7c99d1b0f 1955->1958 1958->1941 1959 7ff7c99d1b11-7ff7c99d1b19 1958->1959 1959->1933 1959->1941
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                        • API String ID: 3432403771-2852464175
                                                                                                                                                                                                                        • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                                                                                                                                                        • Instruction ID: 6e9404fb1779014aec5835cce6c677f61b19a763a09ac0b4787e214cc4c845cd
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D914E33B09B518AEB94EFA6D8842A8B7B1BB48BA4F844535DE0D17754EF38E545C320
                                                                                                                                                                                                                        Function 00007FF7C99CF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 1989 7ff7c99cf4e0-7ff7c99cf523 1990 7ff7c99cf894-7ff7c99cf8b9 call 7ff7c99a1fa0 call 7ff7c99d2320 1989->1990 1991 7ff7c99cf529-7ff7c99cf565 call 7ff7c99d3cf0 1989->1991 1997 7ff7c99cf567 1991->1997 1998 7ff7c99cf56a-7ff7c99cf571 1991->1998 1997->1998 2000 7ff7c99cf573-7ff7c99cf577 1998->2000 2001 7ff7c99cf582-7ff7c99cf586 1998->2001 2004 7ff7c99cf57c-7ff7c99cf580 2000->2004 2005 7ff7c99cf579 2000->2005 2002 7ff7c99cf58b-7ff7c99cf596 2001->2002 2003 7ff7c99cf588 2001->2003 2006 7ff7c99cf59c 2002->2006 2007 7ff7c99cf628 2002->2007 2003->2002 2004->2002 2005->2004 2008 7ff7c99cf5a2-7ff7c99cf5a9 2006->2008 2009 7ff7c99cf62c-7ff7c99cf62f 2007->2009 2010 7ff7c99cf5ab 2008->2010 2011 7ff7c99cf5ae-7ff7c99cf5b3 2008->2011 2012 7ff7c99cf631-7ff7c99cf635 2009->2012 2013 7ff7c99cf637-7ff7c99cf63a 2009->2013 2010->2011 2014 7ff7c99cf5e5-7ff7c99cf5f0 2011->2014 2015 7ff7c99cf5b5 2011->2015 2012->2013 2016 7ff7c99cf660-7ff7c99cf673 call 7ff7c99b63ac 2012->2016 2013->2016 2017 7ff7c99cf63c-7ff7c99cf643 2013->2017 2018 7ff7c99cf5f5-7ff7c99cf5fa 2014->2018 2019 7ff7c99cf5f2 2014->2019 2020 7ff7c99cf5ca-7ff7c99cf5d0 2015->2020 2034 7ff7c99cf675-7ff7c99cf693 call 7ff7c99c13c4 2016->2034 2035 7ff7c99cf698-7ff7c99cf6ed call 7ff7c99d797c call 7ff7c99a129c call 7ff7c99b32a8 call 7ff7c99a1fa0 2016->2035 2017->2016 2021 7ff7c99cf645-7ff7c99cf65c 2017->2021 2023 7ff7c99cf600-7ff7c99cf607 2018->2023 2024 7ff7c99cf8ba-7ff7c99cf8c1 2018->2024 2019->2018 2025 7ff7c99cf5d2 2020->2025 2026 7ff7c99cf5b7-7ff7c99cf5be 2020->2026 2021->2016 2028 7ff7c99cf60c-7ff7c99cf612 2023->2028 2029 7ff7c99cf609 2023->2029 2032 7ff7c99cf8c3 2024->2032 2033 7ff7c99cf8c6-7ff7c99cf8cb 2024->2033 2025->2014 2030 7ff7c99cf5c3-7ff7c99cf5c8 2026->2030 2031 7ff7c99cf5c0 2026->2031 2028->2024 2038 7ff7c99cf618-7ff7c99cf622 2028->2038 2029->2028 2030->2020 2039 7ff7c99cf5d4-7ff7c99cf5db 2030->2039 2031->2030 2032->2033 2040 7ff7c99cf8cd-7ff7c99cf8d4 2033->2040 2041 7ff7c99cf8de-7ff7c99cf8e6 2033->2041 2034->2035 2056 7ff7c99cf6ef-7ff7c99cf73d call 7ff7c99d797c call 7ff7c99a129c call 7ff7c99b5b60 call 7ff7c99a1fa0 2035->2056 2057 7ff7c99cf742-7ff7c99cf74f ShellExecuteExW 2035->2057 2038->2007 2038->2008 2046 7ff7c99cf5e0 2039->2046 2047 7ff7c99cf5dd 2039->2047 2048 7ff7c99cf8d6 2040->2048 2049 7ff7c99cf8d9 2040->2049 2043 7ff7c99cf8eb-7ff7c99cf8f6 2041->2043 2044 7ff7c99cf8e8 2041->2044 2043->2009 2044->2043 2046->2014 2047->2046 2048->2049 2049->2041 2056->2057 2058 7ff7c99cf755-7ff7c99cf75f 2057->2058 2059 7ff7c99cf846-7ff7c99cf84e 2057->2059 2063 7ff7c99cf76f-7ff7c99cf772 2058->2063 2064 7ff7c99cf761-7ff7c99cf764 2058->2064 2061 7ff7c99cf850-7ff7c99cf866 2059->2061 2062 7ff7c99cf882-7ff7c99cf88f 2059->2062 2066 7ff7c99cf87d call 7ff7c99d220c 2061->2066 2067 7ff7c99cf868-7ff7c99cf87b 2061->2067 2062->1990 2069 7ff7c99cf774-7ff7c99cf77f call 7ff7c9a0e188 2063->2069 2070 7ff7c99cf78e-7ff7c99cf7ad call 7ff7c9a0e1b8 call 7ff7c99cfe24 2063->2070 2064->2063 2068 7ff7c99cf766-7ff7c99cf76d 2064->2068 2066->2062 2067->2066 2072 7ff7c99cf8fb-7ff7c99cf903 call 7ff7c99d7904 2067->2072 2068->2063 2074 7ff7c99cf7e3-7ff7c99cf7f0 CloseHandle 2068->2074 2069->2070 2090 7ff7c99cf781-7ff7c99cf78c ShowWindow 2069->2090 2070->2074 2096 7ff7c99cf7af-7ff7c99cf7b2 2070->2096 2080 7ff7c99cf805-7ff7c99cf80c 2074->2080 2081 7ff7c99cf7f2-7ff7c99cf803 call 7ff7c99c13c4 2074->2081 2088 7ff7c99cf82e-7ff7c99cf830 2080->2088 2089 7ff7c99cf80e-7ff7c99cf811 2080->2089 2081->2080 2081->2088 2088->2059 2095 7ff7c99cf832-7ff7c99cf835 2088->2095 2089->2088 2094 7ff7c99cf813-7ff7c99cf828 2089->2094 2090->2070 2094->2088 2095->2059 2098 7ff7c99cf837-7ff7c99cf845 ShowWindow 2095->2098 2096->2074 2099 7ff7c99cf7b4-7ff7c99cf7c5 GetExitCodeProcess 2096->2099 2098->2059 2099->2074 2100 7ff7c99cf7c7-7ff7c99cf7dc 2099->2100 2100->2074
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID: .exe$.inf$Install$p
                                                                                                                                                                                                                        • API String ID: 1054546013-3607691742
                                                                                                                                                                                                                        • Opcode ID: fd3b58b5eb305c00c83d38e58d9e4083d0156c4e785351e455ab425b01f70423
                                                                                                                                                                                                                        • Instruction ID: 88f350dccccad8144b7cd8747872514c49da2af641446f546dc728d2817729e6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd3b58b5eb305c00c83d38e58d9e4083d0156c4e785351e455ab425b01f70423
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5C18B22F08A4295FB90AF25D94027DBBB1AFC5BA0F845031DA4E47AA5DF3CE461C720
                                                                                                                                                                                                                        Function 00007FF7C99CF0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3569833718-0
                                                                                                                                                                                                                        • Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
                                                                                                                                                                                                                        • Instruction ID: 0168b1f96f9493ff90cf9ba3ab4c450abba5abfe3081512c7dc846a484908318
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D41BF21B1464286F784AF71E810BAE7F70EB89BA8F942135DD0A07B95CE3DD449CB64
                                                                                                                                                                                                                        Function 00007FF7C99AEF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                        • Opcode ID: 3982dfa35720f311290c569a92371854ba117263ca7aa152baa728957ab7fb83
                                                                                                                                                                                                                        • Instruction ID: c0262140f207e537def49403f8d849387512a4a19c6dc19210fccdc89b8281de
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3982dfa35720f311290c569a92371854ba117263ca7aa152baa728957ab7fb83
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A012AF62F08B4185EB50AF65D4442BDAB71EB857B8F800232DE9D17AE9DF3CE595C320
                                                                                                                                                                                                                        Function 00007FF7C99B24C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 3528 7ff7c99b24c0-7ff7c99b24fb 3529 7ff7c99b2506 3528->3529 3530 7ff7c99b24fd-7ff7c99b2504 3528->3530 3531 7ff7c99b2509-7ff7c99b2578 3529->3531 3530->3529 3530->3531 3532 7ff7c99b257a 3531->3532 3533 7ff7c99b257d-7ff7c99b25a8 CreateFileW 3531->3533 3532->3533 3534 7ff7c99b2688-7ff7c99b268d 3533->3534 3535 7ff7c99b25ae-7ff7c99b25de GetLastError call 7ff7c99b6a0c 3533->3535 3537 7ff7c99b2693-7ff7c99b2697 3534->3537 3544 7ff7c99b25e0-7ff7c99b262a CreateFileW GetLastError 3535->3544 3545 7ff7c99b262c 3535->3545 3539 7ff7c99b26a5-7ff7c99b26a9 3537->3539 3540 7ff7c99b2699-7ff7c99b269c 3537->3540 3542 7ff7c99b26cf-7ff7c99b26e3 3539->3542 3543 7ff7c99b26ab-7ff7c99b26af 3539->3543 3540->3539 3541 7ff7c99b269e 3540->3541 3541->3539 3547 7ff7c99b26e5-7ff7c99b26f0 3542->3547 3548 7ff7c99b270c-7ff7c99b2735 call 7ff7c99d2320 3542->3548 3543->3542 3546 7ff7c99b26b1-7ff7c99b26c9 SetFileTime 3543->3546 3549 7ff7c99b2632-7ff7c99b263a 3544->3549 3545->3549 3546->3542 3550 7ff7c99b26f2-7ff7c99b26fa 3547->3550 3551 7ff7c99b2708 3547->3551 3552 7ff7c99b2673-7ff7c99b2686 3549->3552 3553 7ff7c99b263c-7ff7c99b2653 3549->3553 3555 7ff7c99b26ff-7ff7c99b2703 call 7ff7c99a20b0 3550->3555 3556 7ff7c99b26fc 3550->3556 3551->3548 3552->3537 3557 7ff7c99b2655-7ff7c99b2668 3553->3557 3558 7ff7c99b266e call 7ff7c99d220c 3553->3558 3555->3551 3556->3555 3557->3558 3561 7ff7c99b2736-7ff7c99b273b call 7ff7c99d7904 3557->3561 3558->3552
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3536497005-0
                                                                                                                                                                                                                        • Opcode ID: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                                                                                                                                                                        • Instruction ID: b9585f1c58667082701a0102b1b5d55728d65cd81e15d6251f56b29b141909b9
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0610362A1868185E7609F29E44436EABB1FBD5BB8F500335DFAD03AD8CF3DD0548714
                                                                                                                                                                                                                        Function 00007FF7C99CFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 3565 7ff7c99cfd0c-7ff7c99cfd37 3566 7ff7c99cfd3c-7ff7c99cfd76 SetEnvironmentVariableW call 7ff7c99bd0a0 3565->3566 3567 7ff7c99cfd39 3565->3567 3570 7ff7c99cfdc3-7ff7c99cfdcb 3566->3570 3571 7ff7c99cfd78 3566->3571 3567->3566 3572 7ff7c99cfdff-7ff7c99cfe1a call 7ff7c99d2320 3570->3572 3573 7ff7c99cfdcd-7ff7c99cfde3 3570->3573 3574 7ff7c99cfd7c-7ff7c99cfd84 3571->3574 3575 7ff7c99cfde5-7ff7c99cfdf8 3573->3575 3576 7ff7c99cfdfa call 7ff7c99d220c 3573->3576 3578 7ff7c99cfd86 3574->3578 3579 7ff7c99cfd89-7ff7c99cfd94 call 7ff7c99bd4c0 3574->3579 3575->3576 3580 7ff7c99cfe1b-7ff7c99cfe23 call 7ff7c99d7904 3575->3580 3576->3572 3578->3579 3587 7ff7c99cfda3-7ff7c99cfda8 3579->3587 3588 7ff7c99cfd96-7ff7c99cfda1 3579->3588 3589 7ff7c99cfdad-7ff7c99cfdc2 SetEnvironmentVariableW 3587->3589 3590 7ff7c99cfdaa 3587->3590 3588->3574 3589->3570 3590->3589
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID: sfxcmd$sfxpar
                                                                                                                                                                                                                        • API String ID: 3540648995-3493335439
                                                                                                                                                                                                                        • Opcode ID: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                                                                                                                                                                        • Instruction ID: 759fab0cd620d973dd901fc7fce65609fac5fc133775afd8a177ca93e5c0e352
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B319072A18A0585FB44EF65E8841ACB771FB88BA8F940131DE5E177A9DF38D051C364
                                                                                                                                                                                                                        Function 00007FF7C99CB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                                                                                                                                                                                        • String ID: ]
                                                                                                                                                                                                                        • API String ID: 3561356813-3352871620
                                                                                                                                                                                                                        • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                                                                                                                                                        • Instruction ID: fa7d2019c9536e4d1e0e85ed846c6d2c447e32661aa65aa5940d3947d289c104
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F115721B0964242EBD4FF239A54279EAB19FC9BE0F980074D95D07B9ADE2CE814CB10
                                                                                                                                                                                                                        Function 00007FF7C99CAE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1266772231-0
                                                                                                                                                                                                                        • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                                                                                                                                                        • Instruction ID: bc0298be4b70b84f1f7f54caa875d7acbe9cd3dc30922782f6462ab627230ec9
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99F01921A2854282EBD0AF24E895E3AB771BFE4B54FD06031E54F82854DE2CD508DA10
                                                                                                                                                                                                                        Function 00007FF7C99C91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                                                                                        • String ID: EDIT
                                                                                                                                                                                                                        • API String ID: 4243998846-3080729518
                                                                                                                                                                                                                        • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                                                                                                                                                        • Instruction ID: 0b19232530abebc91ae8587f82c77bbf521d620d24cec198908685b497340c73
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD016221B18A4381FBA4AF21AC107B5F7B0AFE9764FC41031C94E07655DE2CD149CA70
                                                                                                                                                                                                                        Function 00007FF7C99B2CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 3864 7ff7c99b2ce0-7ff7c99b2d0a 3865 7ff7c99b2d13-7ff7c99b2d1b 3864->3865 3866 7ff7c99b2d0c-7ff7c99b2d0e 3864->3866 3868 7ff7c99b2d1d-7ff7c99b2d28 GetStdHandle 3865->3868 3869 7ff7c99b2d2b 3865->3869 3867 7ff7c99b2ea9-7ff7c99b2ec4 call 7ff7c99d2320 3866->3867 3868->3869 3871 7ff7c99b2d31-7ff7c99b2d3d 3869->3871 3873 7ff7c99b2d3f-7ff7c99b2d44 3871->3873 3874 7ff7c99b2d86-7ff7c99b2da2 WriteFile 3871->3874 3875 7ff7c99b2daf-7ff7c99b2db3 3873->3875 3876 7ff7c99b2d46-7ff7c99b2d7a WriteFile 3873->3876 3877 7ff7c99b2da6-7ff7c99b2da9 3874->3877 3879 7ff7c99b2ea2-7ff7c99b2ea6 3875->3879 3880 7ff7c99b2db9-7ff7c99b2dbd 3875->3880 3876->3877 3878 7ff7c99b2d7c-7ff7c99b2d82 3876->3878 3877->3875 3877->3879 3878->3876 3881 7ff7c99b2d84 3878->3881 3879->3867 3880->3879 3882 7ff7c99b2dc3-7ff7c99b2dd8 call 7ff7c99ab4f8 3880->3882 3881->3877 3885 7ff7c99b2dda-7ff7c99b2de1 3882->3885 3886 7ff7c99b2e1e-7ff7c99b2e6d call 7ff7c99d797c call 7ff7c99a129c call 7ff7c99abca8 3882->3886 3885->3871 3888 7ff7c99b2de7-7ff7c99b2de9 3885->3888 3886->3879 3897 7ff7c99b2e6f-7ff7c99b2e86 3886->3897 3888->3871 3890 7ff7c99b2def-7ff7c99b2e19 3888->3890 3890->3871 3898 7ff7c99b2e88-7ff7c99b2e9b 3897->3898 3899 7ff7c99b2e9d call 7ff7c99d220c 3897->3899 3898->3899 3900 7ff7c99b2ec5-7ff7c99b2ecb call 7ff7c99d7904 3898->3900 3899->3879
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FileWrite$Handle
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 4209713984-0
                                                                                                                                                                                                                        • Opcode ID: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                                                                                                                                                                        • Instruction ID: 4475296109fb3c93e61445d960ac874358f022c4b2f101889061adba62ee5693
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D951E622A1958692EBA0AF26D44477EAB70FFE5BB0F941131EE4E06690DF3CD485C321
                                                                                                                                                                                                                        Function 00007FF7C99D03E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2912839123-0
                                                                                                                                                                                                                        • Opcode ID: dd20fbc03e7b4ed3df35e7997b11e4c7c519625834bd32e30ad2cbcd1638632d
                                                                                                                                                                                                                        • Instruction ID: 32b9567dc69896128ba88d6ef8c212433ff4dc63fb5b468f0dc3176b7ef47996
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd20fbc03e7b4ed3df35e7997b11e4c7c519625834bd32e30ad2cbcd1638632d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 78517E63F1465284FB40AFA5D8892ADAB72AF85BB4F900635DE1C17BDADF6CD440C320
                                                                                                                                                                                                                        Function 00007FF7C99B3684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2359106489-0
                                                                                                                                                                                                                        • Opcode ID: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                                                                                                                                                                        • Instruction ID: 5107454ce0e231fdecdaae60bb7ef4984c9dc1d68db2d5f938fb65afab108feb
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A931A462A1D68281EBB0EF259486279E771BFC97B0FD00231EE9D42A95DF3CD4458620
                                                                                                                                                                                                                        Function 00007FF7C99D2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1452418845-0
                                                                                                                                                                                                                        • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                                                                                                                                                        • Instruction ID: eb1d1cc812eec9a6d704baaaf5b3ff9e4f6208c13c1570d1ccb918cbd7e9c1c5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9311B12A0C28342FBD4BF6595993BDAAB1AFD1364FC41474D90E4B6D7DE2DA8048272
                                                                                                                                                                                                                        Function 00007FF7C99B2320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2244327787-0
                                                                                                                                                                                                                        • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                                                                                                                                                        • Instruction ID: 00888395990e924ad60066271c03bd8618983078dd12555d5822e74cf4f07d84
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43217F21A0C68281EBB0BF51A40427DEBB0FBE5FB4F944530DE5D4A688CE7DD8858732
                                                                                                                                                                                                                        Function 00007FF7C99BE948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BECD8: ResetEvent.KERNEL32 ref: 00007FF7C99BECF1
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF7C99BED07
                                                                                                                                                                                                                        • ReleaseSemaphore.KERNEL32 ref: 00007FF7C99BE974
                                                                                                                                                                                                                        • CloseHandle.KERNELBASE ref: 00007FF7C99BE993
                                                                                                                                                                                                                        • DeleteCriticalSection.KERNEL32 ref: 00007FF7C99BE9AA
                                                                                                                                                                                                                        • CloseHandle.KERNEL32 ref: 00007FF7C99BE9B7
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BEA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C99BE95F,?,?,?,00007FF7C99B463A,?,?,?), ref: 00007FF7C99BEA63
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BEA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C99BE95F,?,?,?,00007FF7C99B463A,?,?,?), ref: 00007FF7C99BEA6E
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 502429940-0
                                                                                                                                                                                                                        • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                                                                                                                                                        • Instruction ID: 491cae08556413900ffa4959652a249bea3b523e71a99f44b4b4de698eb30422
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6012D32A18A8192E798EF61E5442ADB730FBC4BE1F404071DB5E13665CF39E4B48790
                                                                                                                                                                                                                        Function 00007FF7C99BEAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Thread$CreatePriority
                                                                                                                                                                                                                        • String ID: CreateThread failed
                                                                                                                                                                                                                        • API String ID: 2610526550-3849766595
                                                                                                                                                                                                                        • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                                                                                                                                                        • Instruction ID: 5e98e26622cbfe88d609a8694cd6fd9c75150843050da58d09c008d2cd1e4579
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E11BF31A08A4281E7A0EF11E8512ADFB74FBC07A4FC84135DA8E03628DF3CE581C760
                                                                                                                                                                                                                        Function 00007FF7C99C946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: DirectoryInitializeMallocSystem
                                                                                                                                                                                                                        • String ID: riched20.dll
                                                                                                                                                                                                                        • API String ID: 174490985-3360196438
                                                                                                                                                                                                                        • Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                                                                                                                                                                        • Instruction ID: 18cc4e901b5aac7a7bc63b17250e2d75893ed68cbe981cd12b189030d8aea1ad
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEF04F71618A8182EB90AF20F45466EFBB0FB88764F801135E98E42B64DF7CD559CB10
                                                                                                                                                                                                                        Function 00007FF7C99C095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99C853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF7C99C856C
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BAAE0: LoadStringW.USER32 ref: 00007FF7C99BAB67
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BAAE0: LoadStringW.USER32 ref: 00007FF7C99BAB80
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99A1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99A1FFB
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99A129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C99A1396
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99D01BB
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99D01C1
                                                                                                                                                                                                                        • SendDlgItemMessageW.USER32 ref: 00007FF7C99D01F2
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3106221260-0
                                                                                                                                                                                                                        • Opcode ID: f59522d12ea67105d58c7d38a79467439e8b2bca94c98ae11b85d9bfed72e7d6
                                                                                                                                                                                                                        • Instruction ID: 06a30e5f08c3a15aece4fb7c8052c25be426180155ec37bb529709ad299e27a0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f59522d12ea67105d58c7d38a79467439e8b2bca94c98ae11b85d9bfed72e7d6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1251CF62F056429AEB50AFA1D8452FDA772EBC5BE8F800135DE4D177D6DE2CE540C360
                                                                                                                                                                                                                        Function 00007FF7C99A1744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2371198981-0
                                                                                                                                                                                                                        • Opcode ID: 0aea9c3c87e16ca9382b17eaa19c0ac0a5c93a98bd21b50b4506c2c51cf5c440
                                                                                                                                                                                                                        • Instruction ID: 23b47f841a55b580239ed68590229fa871b22618099f8536da7356d187a0c851
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0aea9c3c87e16ca9382b17eaa19c0ac0a5c93a98bd21b50b4506c2c51cf5c440
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E841FE62B0868581EB64AF12E644279E775EB84BF0F844231DEAC07BE5EF3CE1918314
                                                                                                                                                                                                                        Function 00007FF7C99B2134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2272807158-0
                                                                                                                                                                                                                        • Opcode ID: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                                                                                                                                                                        • Instruction ID: b78cd211d94593f0e1defc4703b1ab60a5c561013f2fe83368dcc6d8e3b31c85
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6641D062A0878582EBA4AF15E44426DABB0FBD5BB4F904334DFAD03AD5CF3CE4908611
                                                                                                                                                                                                                        Function 00007FF7C99A23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2176759853-0
                                                                                                                                                                                                                        • Opcode ID: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                                                                                                                                                                        • Instruction ID: b7e0b5e1dd5e969e45baf8e9f33dc84fb1e560deaaf64bb90f4cdb929c23ba53
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D218F63A18B8181EA54AF65A84416EB774FBC9BE0F545235EBDD03B95DF3CD180C740
                                                                                                                                                                                                                        Function 00007FF7C99C1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: std::bad_alloc::bad_alloc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1875163511-0
                                                                                                                                                                                                                        • Opcode ID: ed06525d720d284fc54222632f53f2fcbb29030dbea5caf8b24800418b5d5b0f
                                                                                                                                                                                                                        • Instruction ID: fba5169d23695e67c25ecee0de7b0ec056afb2cf1966c0da806a9b482fee64f3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed06525d720d284fc54222632f53f2fcbb29030dbea5caf8b24800418b5d5b0f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18316323A0968651FBA4FF14E8443BDE7B0FB80B94F944432D68C066A5DF6CE656C712
                                                                                                                                                                                                                        Function 00007FF7C99B3D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1203560049-0
                                                                                                                                                                                                                        • Opcode ID: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                                                                                                                                                                        • Instruction ID: 605052bc6ff23df3386fa5af192a41ebe3b1c4039aa0d556dc37ae2ea214ef09
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D021C823A18A8182EB60EF25E44526DB771FFC8BA4F905230EE9D46A95EF3CD540C610
                                                                                                                                                                                                                        Function 00007FF7C99B31BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3118131910-0
                                                                                                                                                                                                                        • Opcode ID: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                                                                                                                                                                        • Instruction ID: 15f53499debc05907ecf3b7ac4d94eb5ba91d8a48c05967cc028a8961c1d1592
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA21A422A1878181EBA0EF25E44526EB770FFC5BE4F901230EE9D42A99DF2CD540C620
                                                                                                                                                                                                                        Function 00007FF7C99B32BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1203560049-0
                                                                                                                                                                                                                        • Opcode ID: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                                                                                                                                                                        • Instruction ID: 7dc69e7fa7f958ded6c16d70745b76fafe49ea204373aa0ddacf09ed16cee43a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D216522A1868181EB60EF19E44512EA771FBC9BB4F900231EA9D43AD5DF3CD540C610
                                                                                                                                                                                                                        Function 00007FF7C99DBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                                                                        • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                                                                                                                                                        • Instruction ID: 11d21b035edda2282b351e6e358468fe234b3915f3b75eacd284b9b5e11df779
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81E04F25F0830546EBD47FB698D9379AB72AFC9762F50547CD80E03396CE3DA8498720
                                                                                                                                                                                                                        Function 00007FF7C99AF578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99AF895
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99AF89B
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF7C99C0811), ref: 00007FF7C99B3EFD
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3587649625-0
                                                                                                                                                                                                                        • Opcode ID: 23f630cba899342486ec3d5de318505faaaca4e13abb6a95497164dac5ca7356
                                                                                                                                                                                                                        • Instruction ID: 8ff362e507590cacc8a9b0d533834776647fa6cd390b4b886f5d964fc82d0709
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23f630cba899342486ec3d5de318505faaaca4e13abb6a95497164dac5ca7356
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D91B073A18A8194FB50EF24D4842ADAB71FBC47A8FD04135EA8E07AE9DF78D555C320
                                                                                                                                                                                                                        Function 00007FF7C99A3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                        • Opcode ID: 8a0d7ffcdee688d7cb22665fdd22367b6c642a36889c5767c2428ca75abdd5ff
                                                                                                                                                                                                                        • Instruction ID: cb048562c68ecb4ffab409ad67d414230bcbc17819311af8ad20fd547c8ba38f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a0d7ffcdee688d7cb22665fdd22367b6c642a36889c5767c2428ca75abdd5ff
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E641B062F1465284FB40EFB1D4452ADAB30EFC4BE8F945235EE5D27E9ADE3894828210
                                                                                                                                                                                                                        Function 00007FF7C99B2778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF7C99B274D), ref: 00007FF7C99B28A9
                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF7C99B274D), ref: 00007FF7C99B28B8
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                        • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                                                                                                                                                        • Instruction ID: fb158022a9b073234a257b279e604af9bebff38d72f8511bed709862cd7f7435
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF31C622B1998281FBB06F26D54067DAB70EF94BF4F940131DE1D577A4DE2CD4418261
                                                                                                                                                                                                                        Function 00007FF7C99A22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1746051919-0
                                                                                                                                                                                                                        • Opcode ID: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                                                                                                                                                                        • Instruction ID: f17ea5f402f39fb32b2114ea274f4ab1e97c32249136060e8c3903da8987de67
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4931B022A1878182EB94AF15E54536EF770EBC5BA0F904231EB9C07B95DF3CE1408720
                                                                                                                                                                                                                        Function 00007FF7C99B2AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: File$BuffersFlushTime
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1392018926-0
                                                                                                                                                                                                                        • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                                                                                                                                                        • Instruction ID: 1ed0459fd787c96fc78eaf2ad4e6d94ed7c1a43815bbc10c98ef4a7f34c9232f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED21E722E0D7A651EBB1AF51D4203BEDFB0EF927A4F984031DE4C02295EE3CD446C211
                                                                                                                                                                                                                        Function 00007FF7C99BAAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: LoadString
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2948472770-0
                                                                                                                                                                                                                        • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                                                                                                                                                        • Instruction ID: 8e625fd8862b952f7df11c5dd2700f0cce0c5615dd15fc5f42476c088d263286
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84118E71B0961185EBD0AF26A88456CFBB1BB98FE0F944439CE1E93720DE7CE541C354
                                                                                                                                                                                                                        Function 00007FF7C99B2BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                        • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                                                                                                                                                        • Instruction ID: 3647c5361b7cd7574a0b2756bc8ddbec827bdcde88a48e7b1f004060738987f0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25119021A0868181EBA0AF25E84127DAA70EB95BB4F940771DA7D162D5CF3DD582C311
                                                                                                                                                                                                                        Function 00007FF7C99A255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ItemRectTextWindow$Clientswprintf
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3322643685-0
                                                                                                                                                                                                                        • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                                                                                                                                                        • Instruction ID: 63fcd59cfdc7e3ea75712c58ce26485e4fc4556a6c3fe5cc685601725d9e7c7d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19010410A1938A41FFD9BF92A45477DEBB1EFC5764F846035D84D06295DE6CE484C321
                                                                                                                                                                                                                        Function 00007FF7C99BEB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7C99BEBAD,?,?,?,?,00007FF7C99B5752,?,?,?,00007FF7C99B56DE), ref: 00007FF7C99BEB5C
                                                                                                                                                                                                                        • GetProcessAffinityMask.KERNEL32 ref: 00007FF7C99BEB6F
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1231390398-0
                                                                                                                                                                                                                        • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                                                                                                                                                        • Instruction ID: 1dcf94adc90e6827d9d7c13c44a6c23b9f982716dbe02c0ec05a93d30ef70439
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50E02B61F1854642DF989F97C4504E9B7B2BFC8B50BC48035D60B83614DE2CE5458B00
                                                                                                                                                                                                                        Function 00007FF7C99D21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1173176844-0
                                                                                                                                                                                                                        • Opcode ID: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
                                                                                                                                                                                                                        • Instruction ID: 99904191b68472eae26bed493fdb60c8c0441428fe417b16164e5e2b75e39a79
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08E0EC42E0A18745FFE83E7619AE1B988704FDA770EDC5B30DA7E092C2AD1CB5958231
                                                                                                                                                                                                                        Function 00007FF7C99DD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                                                                        • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                                                                                                                                                        • Instruction ID: ead4479224ea0468894104995456b45af425d87472b26ae0579627df891e38a0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18E0E662E0D50386FF94BFF258891B8AAF15FD4771B845434C90D97662EE3C94858624
                                                                                                                                                                                                                        Function 00007FF7C99A33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                        • Opcode ID: af39ee99099a55e795e80951e1502b6695bf377bb292aa42fe2ae5656993095e
                                                                                                                                                                                                                        • Instruction ID: 561b40ec60101adfe3ef5fa8edda6af097cfc0d4b9f66d49a712af71da793f6e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af39ee99099a55e795e80951e1502b6695bf377bb292aa42fe2ae5656993095e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10D1CB62B0868155EBA8AF2595452BCFFB5FB85BA4F844075CB9D07BA5CF38E4608320
                                                                                                                                                                                                                        Function 00007FF7C99B5294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1017591355-0
                                                                                                                                                                                                                        • Opcode ID: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                                                                                                                                                                        • Instruction ID: fcef790fddb3d1950844464f04d4e677fc5921ae477784131491c4dc54e37856
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E61D512A0C64781FBF4BE15491427EEAB2AFC9BF4F944131DE4D06BC5EE6CE8418232
                                                                                                                                                                                                                        Function 00007FF7C99C1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BE948: ReleaseSemaphore.KERNEL32 ref: 00007FF7C99BE974
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BE948: CloseHandle.KERNELBASE ref: 00007FF7C99BE993
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BE948: DeleteCriticalSection.KERNEL32 ref: 00007FF7C99BE9AA
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99BE948: CloseHandle.KERNEL32 ref: 00007FF7C99BE9B7
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99C1ACB
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 904680172-0
                                                                                                                                                                                                                        • Opcode ID: c9fb0bd089dfeb63d9e2bdc9fa924defd0287578730a09343b72146483e13d02
                                                                                                                                                                                                                        • Instruction ID: 35e1c903e6a8bbe2a7dc0ea4bba34679e4ec60cb796368805c80f9ecb360a105
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9fb0bd089dfeb63d9e2bdc9fa924defd0287578730a09343b72146483e13d02
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C161AE72B16A8592EF58EF65D6940BCB774FF80FA0B944132EB2D07AC1CF28E5608314
                                                                                                                                                                                                                        Function 00007FF7C99AEC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                        • Opcode ID: 69a943e656ee331f1661201cfe822fb8f69a168c4299475660200162fa714270
                                                                                                                                                                                                                        • Instruction ID: f77fa5e57e8d4ca6558110efeeead2528481dbf2b3680a88737094c528048569
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69a943e656ee331f1661201cfe822fb8f69a168c4299475660200162fa714270
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5151D462A0868241FB90AF6594453ADBF71FBD5BE4F940136EE9D07792CE3DE485C320
                                                                                                                                                                                                                        Function 00007FF7C99AE7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF7C99C0811), ref: 00007FF7C99B3EFD
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99AE993
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1011579015-0
                                                                                                                                                                                                                        • Opcode ID: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                                                                                                                                                                        • Instruction ID: 6db2445bd760f30021820f05dffa892774c8154099c5fed81b4f7f11b0e693f3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F514122A0878681FBA0AF69E44536DBB71FFC5BE4F940136EA8D076A5DF2CD441C720
                                                                                                                                                                                                                        Function 00007FF7C99B1794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                        • Opcode ID: 27319caa984fd9bf2efda9575f3c4a4ff381f3c9e17273c3b2946047ae8ede0a
                                                                                                                                                                                                                        • Instruction ID: daa08f8d8f9c4e9009c9661abcd530a898919bd9114f2f7f99b7285dc60133fe
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 27319caa984fd9bf2efda9575f3c4a4ff381f3c9e17273c3b2946047ae8ede0a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6041D662B18A8142EB64AE17A644379EA71FBC4FD0F888535EE4C47F5ADF3CD5918300
                                                                                                                                                                                                                        Function 00007FF7C99B2F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                        • Opcode ID: 71211bdb8fcfb718bc8c1f80de60d6f389c440e1fadeaa63cd7f355b18b082f6
                                                                                                                                                                                                                        • Instruction ID: 2819cd4889168e838f39d5c2a5967c19b1b7843c97c683518c417d8230074bd5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 71211bdb8fcfb718bc8c1f80de60d6f389c440e1fadeaa63cd7f355b18b082f6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9441E462A09B4580EBA4AF25E14637DAB71EFD5BE8F941135EE4D07B99DE3CE4408220
                                                                                                                                                                                                                        Function 00007FF7C99DBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3947729631-0
                                                                                                                                                                                                                        • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                                                                                                                                                        • Instruction ID: 1e8cae4f6c63458e91ce41f25e4508ab4e4490bcde4eefd30f2217bdaa9deead
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F41C323E1860282FBD4BF259894138AE71AFE5BA0FC45476DA0E07691DF3DE840C7B0
                                                                                                                                                                                                                        Function 00007FF7C99A129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 680105476-0
                                                                                                                                                                                                                        • Opcode ID: 8615e64c65e08c4765cb9fe696173ca1d24e70e0804716bd186f62c3c2783a0a
                                                                                                                                                                                                                        • Instruction ID: 728d3fdf99e75e345d03b30716317a215dbabb2d614eb0accb2af8ac72f95816
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8615e64c65e08c4765cb9fe696173ca1d24e70e0804716bd186f62c3c2783a0a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59219522A0875185EB64AF52A440279AA70FB84BF0F980731DFBD47BD1DE7CE1518364
                                                                                                                                                                                                                        Function 00007FF7C99E124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                        • Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                                                                                                                                                        • Instruction ID: b3998a4ffd497344a9424377547613b684680a4fb9c810ae14c3021ce8f62cf6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 07114C3291C64286F7A0AF60A880639FAB4FFC43A4FD50135E68E87796DF2CE550C764
                                                                                                                                                                                                                        Function 00007FF7C99A3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                        • Opcode ID: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                                                                                                                                                                        • Instruction ID: 9f54b80c212de2d56958148b7e11d54519cf90be5872b502e56a4fbb9b6a1815
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8601A162E1868541EB91AF28E44622DB772FFC9BB0FC05231E6EC07AA5DF2CD0408614
                                                                                                                                                                                                                        Function 00007FF7C99D1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99D1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF7C99D1573,?,?,?,00007FF7C99D192A), ref: 00007FF7C99D162B
                                                                                                                                                                                                                        • DloadProtectSection.DELAYIMP ref: 00007FF7C99D15C9
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: DloadHandleModuleProtectSection
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2883838935-0
                                                                                                                                                                                                                        • Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                                                                                                                                                        • Instruction ID: da98d025baffd4a0f9cd9929a7d7b0775caa7bcb1202cd26d8e092ed2fb6a5ac
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B411F162D4890741FBE8BF19A484774BB70AF94768FC420B4D50E472A1EE2DB595C624
                                                                                                                                                                                                                        Function 00007FF7C99B3EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B40BC: FindFirstFileW.KERNELBASE ref: 00007FF7C99B410B
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B40BC: FindFirstFileW.KERNELBASE ref: 00007FF7C99B415E
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B40BC: GetLastError.KERNEL32 ref: 00007FF7C99B41AF
                                                                                                                                                                                                                        • FindClose.KERNELBASE(?,?,00000000,00007FF7C99C0811), ref: 00007FF7C99B3EFD
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1464966427-0
                                                                                                                                                                                                                        • Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                                                                                                                                                        • Instruction ID: f2922b85152e8ea43d7883ea84fbb69e10ba4256c9be7a49c24f12ae8d6e6d49
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3EF0A46250D24285EBA0BFB5A501279BB709B95BB4F941334EE3D077C7CE2CD4448764
                                                                                                                                                                                                                        Function 00007FF7C99B273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: File
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 749574446-0
                                                                                                                                                                                                                        • Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
                                                                                                                                                                                                                        • Instruction ID: 0d07cf52dc728be0cdd7553cb0728a2c1f135c1d91c00e2ac3d4876b069dabb8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CAE08C12A2495582EBA0BF6BC882668A770EFC8B95B8810B0CE0C07331CE2CD8818A14
                                                                                                                                                                                                                        Function 00007FF7C99B2490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FileType
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3081899298-0
                                                                                                                                                                                                                        • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                                                                                                                                                        • Instruction ID: bca449b9a3095132429b3d7e3f3f51256d49cfcbe88a26565f1aca0019405a8b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20D01212D0948182DFA0BF76989107C7761EFE7735FE40770DA3E91AE1CE1D9496A322
                                                                                                                                                                                                                        Function 00007FF7C99B7FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CurrentDirectory
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1611563598-0
                                                                                                                                                                                                                        • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                                                                                                                                                        • Instruction ID: b047dc4b813157f27ec0f3757c9fca3f2ffa9f9dd8da9588bcfdb68a4f9e60e8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63C08C20F09502C1DB08AF26C8C902823B4BB80F15BA04034C60C81120CE2CC9EA9359
                                                                                                                                                                                                                        Function 00007FF7C99DFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                        • Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                                                                                                                                                        • Instruction ID: aa4e1f7b3c4c203cce3791a7c4647695d94eba1cc4dcdf5bd3e7c8ab81e8888e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99F06256B2960745FFD47EA5999A3B49AB05FD4BA0FCC5430C90F4A3C1FE1CE5914130
                                                                                                                                                                                                                        Function 00007FF7C99DD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                        • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                                                                                                                                                        • Instruction ID: 3e483ae55dcff17b2823d93cbd39a6eecc632392f97aec029f9fa19604403c6d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67F05E12B0A20745FFD47EB158882B49EB05FC47B1FC82630D96E46BD1DE1DA4408130
                                                                                                                                                                                                                        Function 00007FF7C99B20D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                        • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                                                                                                                                                        • Instruction ID: f75b396a5b231016b500f637773c7e1c11f53c538ee4c3dcd389295f2587a5be
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1F08C22A0868285FFB49F20E44127DBA71EBA4BB8F885334DB3D011D4CE2CD8D5C321

                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                        Function 00007FF7C99AC2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                                                                                                                                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                                        • API String ID: 2659423929-3508440684
                                                                                                                                                                                                                        • Opcode ID: 2109ac67ef454bbe604bd7410721986f8a24db34ebf8dc3af2521a2cef9c7c6b
                                                                                                                                                                                                                        • Instruction ID: 9cb26878ad2e61f116622109c6de8dc99f965d35f9e8e6dc292d1ed39f920399
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2109ac67ef454bbe604bd7410721986f8a24db34ebf8dc3af2521a2cef9c7c6b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7462BF62F0864285FB80EF74D4842ADAB71EBC5BB4F904231DAAD57AD5EE38E585C310
                                                                                                                                                                                                                        Function 00007FF7C99BF180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                                                                                                                                                        • String ID: %ls$%s: %s
                                                                                                                                                                                                                        • API String ID: 2539828978-2259941744
                                                                                                                                                                                                                        • Opcode ID: e89bfa93e3b546c3379b1ef1a344197b4ed21777381125368a70589fb59b603c
                                                                                                                                                                                                                        • Instruction ID: 78c5b67a29479ad79b67f78daea801bce49cfb98ca11f7b5311d1d6db8274422
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e89bfa93e3b546c3379b1ef1a344197b4ed21777381125368a70589fb59b603c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40B29C63A1968291EB60BF65D8541BEE771EFC97E0F904236EADD036D6EE2CD140C720
                                                                                                                                                                                                                        Function 00007FF7C99E2550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                                                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                        • API String ID: 1759834784-2761157908
                                                                                                                                                                                                                        • Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                                                                                                                                                        • Instruction ID: 4e50434c415f85e13bfb912e6c3c34ce53d0c4c7aee66cfed5063a220ac7023c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BB20472A0C2C28BE7A5AE29D4416FDBBB1FBC4798F905135DA0A57F84DF38E5048B10
                                                                                                                                                                                                                        Function 00007FF7C99B1A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                                                                                                                                                                        • String ID: rtmp
                                                                                                                                                                                                                        • API String ID: 3587137053-870060881
                                                                                                                                                                                                                        • Opcode ID: 6f9f009cc68f79adfaa2d6c81f4dd6478a908af634b8d3a3b94ef6884c4367c6
                                                                                                                                                                                                                        • Instruction ID: b153597b9b98f4fbc5a4f7aa0369519a7796aad8a6b62472ce96a257a18f6607
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f9f009cc68f79adfaa2d6c81f4dd6478a908af634b8d3a3b94ef6884c4367c6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4EF1D522B08A8285EB60EF65D4801FDAB71EBD57E4F901131EE4D43AA9DF3CE684C750
                                                                                                                                                                                                                        Function 00007FF7C99B5B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1693479884-0
                                                                                                                                                                                                                        • Opcode ID: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                                                                                                                                                                        • Instruction ID: 9e678f371d370c9f84ebcb46113a4ab003708923ae3bf605c6f167c79bc40da5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DEA1A262F14B5184FF60AFB9D8481BCA732ABC5BB4B944235DE6D17BD8DE3CE0818211
                                                                                                                                                                                                                        Function 00007FF7C99D3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3140674995-0
                                                                                                                                                                                                                        • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                                                                                                                                                        • Instruction ID: 062afdc25ae2eb4cbf892724c1dd530b8e0527c31d023f18745be472bf3dc33a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41317272609B818AEBA0AF61E8943EDB770FB84758F844439DB4D47B88DF38D548C720
                                                                                                                                                                                                                        Function 00007FF7C99D76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1239891234-0
                                                                                                                                                                                                                        • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                                                                                                                                                        • Instruction ID: 5066bf3f65deafbdfae1b15602bf4dea160fa275b5c0705869f4490a281eb29a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE316232608B8185E7A09F65E8842AEB7B4FBC4B64F940135EA9D43B99DF38D545C710
                                                                                                                                                                                                                        Function 00007FF7C99A1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                        • Opcode ID: 64d25151ef3fe23f20685aee3441bda27b372bcb0863407ca166e54c625fc733
                                                                                                                                                                                                                        • Instruction ID: da6675887399059b6fe6ea6bb045b5de6365d64ce0672e159db01b86e56828c1
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 64d25151ef3fe23f20685aee3441bda27b372bcb0863407ca166e54c625fc733
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5AB1C062B1468686EB60AF65D8442EDA771FFC57E4F905231EA8D07B99EF3CE640C310
                                                                                                                                                                                                                        Function 00007FF7C99DFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C99DFAC4
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99D7934: GetCurrentProcess.KERNEL32(00007FF7C99E0CCD), ref: 00007FF7C99D7961
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID: *?$.
                                                                                                                                                                                                                        • API String ID: 2518042432-3972193922
                                                                                                                                                                                                                        • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                                                                                                                                                        • Instruction ID: f703df37a4a340d08c1464272f6a557e3b2de627f37156f1a214393865eb5987
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3151F663B25B9541FF50EFA198950B8ABB4FB88BE8B844531DE1E17B84EF3CD0528310
                                                                                                                                                                                                                        Function 00007FF7C99E2080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: memcpy_s
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1502251526-0
                                                                                                                                                                                                                        • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                                                                                                                        • Instruction ID: 98af2cd675a356e5fd426929701c46299e7cdc7f906151a64be412260284cae8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6DD1C032B1C6C687DBA4DF15E1846AEBBA1FBC87A4F548134CB4E57B44DA3CE8418B10
                                                                                                                                                                                                                        Function 00007FF7C99AB6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1365068426-0
                                                                                                                                                                                                                        • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                                                                                                                                                        • Instruction ID: be7ee5e4bc9ea5769d2ae074683d21e92ca344c0cc7dc3385fbad35323f414c0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15014F7260C74282E790AF62B89017EA7A5FBCABD1F884034EA8D47B45CE3CD9158710
                                                                                                                                                                                                                        Function 00007FF7C99DFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: .
                                                                                                                                                                                                                        • API String ID: 0-248832578
                                                                                                                                                                                                                        • Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                                                                                                                                                        • Instruction ID: e0fa670d7f70206be132987e2b9b012cb60ae431fa4be43b534ba5ee9cce0314
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 96311823B1869145E7A0AF3298497A9BEA1ABD4BF4F848234DE6D07BC5CE3CD5118310
                                                                                                                                                                                                                        Function 00007FF7C99E5AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 15204871-0
                                                                                                                                                                                                                        • Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                                                                                                                                                        • Instruction ID: 453c4452a7e284438f85351a6c478faafed02904653199d914b1f1285fb9928e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CB19D73A18B888BEB55CF29C84636C7BB0F784B58F198921DB5D837A8CB39D451C711
                                                                                                                                                                                                                        Function 00007FF7C99C8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ObjectRelease$CapsDevice
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1061551593-0
                                                                                                                                                                                                                        • Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                                                                                                                                                        • Instruction ID: 4b70170d0c87d4941a8bd6f066bfce6c52c9d57c9753206368a81ced765b652e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0815E32B08A0586EB50EF6AD8406ACBB71FB88B98F4041B2DE0D57B64DF3CD545C750
                                                                                                                                                                                                                        Function 00007FF7C99CA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FormatInfoLocaleNumber
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2169056816-0
                                                                                                                                                                                                                        • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                                                                                                                                                        • Instruction ID: 4579bf204d67076a206a7c3f39597d0620ecbbfc595bbf6b7fae860e15be4ff7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F118C62A08B8196E7A1AF21E8107E9BB70FF88BA4FC44031DA4D03A64EF3CD145CB54
                                                                                                                                                                                                                        Function 00007FF7C99B126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B24C0: CreateFileW.KERNELBASE ref: 00007FF7C99B259B
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B24C0: GetLastError.KERNEL32 ref: 00007FF7C99B25AE
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B24C0: CreateFileW.KERNEL32 ref: 00007FF7C99B260E
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B24C0: GetLastError.KERNEL32 ref: 00007FF7C99B2617
                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C99B15D0
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B3980: MoveFileW.KERNEL32 ref: 00007FF7C99B39BD
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B3980: MoveFileW.KERNEL32 ref: 00007FF7C99B3A34
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 34527147-0
                                                                                                                                                                                                                        • Opcode ID: 980cd56be866766a23a9553c8d4159ccf1d73d98ddfd7d5c2418f08c88695bde
                                                                                                                                                                                                                        • Instruction ID: 2369fa1b641945e0d017b7074ea9cf7e9124f2fc0e432a67699ca68aced2315b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 980cd56be866766a23a9553c8d4159ccf1d73d98ddfd7d5c2418f08c88695bde
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA91C122B18A4682EBB0EF62D4442ADAB71FBD5BD4F804036EE4D47B95DE3CD645C320
                                                                                                                                                                                                                        Function 00007FF7C99B4EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Version
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1889659487-0
                                                                                                                                                                                                                        • Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
                                                                                                                                                                                                                        • Instruction ID: def3b109a3d7bc34af00062eb0f1b1b8e7392950b7960f5b977b2e64e76af9a2
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99015A7194D58285FBF1AF21A8143B9FBA09BE9765FC41134CA9D07291CE2CA048DA24
                                                                                                                                                                                                                        Function 00007FF7C99D8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID: 0
                                                                                                                                                                                                                        • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                        • Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                                                                                                                                                        • Instruction ID: 25fb65ae3a170fd360d53580ac6fa36cc2367633c8e1264e5b33b24317883daf
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4810623A1814247EBE8BE2680C867DAAB0EFE0B64F941471DD09976D7CF2DE801C760
                                                                                                                                                                                                                        Function 00007FF7C99D89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID: 0
                                                                                                                                                                                                                        • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                        • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                                                                                                                                                        • Instruction ID: 78bba30db4b001872604644f1ab3a256a4feeb3d30458f69d773c74983113201
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D711863A0C24346FBE4AE1B40C827DEFB09FC1764F9819B1DD0997697CE2DE8468761
                                                                                                                                                                                                                        Function 00007FF7C99BC96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: gj
                                                                                                                                                                                                                        • API String ID: 0-4203073231
                                                                                                                                                                                                                        • Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                                                                                                                                                        • Instruction ID: fec0b8fc95b448aeaeabe6126eb3d62dad300ad0cfaa37488d697d3ece957296
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8251AF376286908BD764CF25E404A9EB7B5F388798F445126EF8A93B08DB3DE945CF40
                                                                                                                                                                                                                        Function 00007FF7C99DC838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                                                                                        • Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                                                                                                                                                        • Instruction ID: bb6cb279adc095519dc832f08e799dc6fa46f2a6eff0c307e6bb6f4d960cf40c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0941C233714A4486EF84DF2AD5582A9BBA1B799FE0B9D9036DE1D87754EE3CD042C340
                                                                                                                                                                                                                        Function 00007FF7C99E0D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: HeapProcess
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 54951025-0
                                                                                                                                                                                                                        • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                                                                                                                                                        • Instruction ID: 74601cd1ceac214635753c5abb35cb30f25575cacdddb747e8d90dc3e55a65ac
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FCB09230E1BA02C2EA893F626C8225876B4BFC8720FD4A078C10D42320DE2C20A58721
                                                                                                                                                                                                                        Function 00007FF7C99C3964 Relevance: .9, Instructions: 931COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
                                                                                                                                                                                                                        • Instruction ID: a2026ffb9775ba9e04de01089480897cdf9fd8e224414415ca03b1e5f828a656
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E58236B3A096C186D784DF24C8042BCBFB1F795B98F998136DA4E07785DA3DD445CB20
                                                                                                                                                                                                                        Function 00007FF7C99A76C0 Relevance: .9, Instructions: 893COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                                                                                                                                                        • Instruction ID: 9fea3ae70affdb18115528da5edcda1118708b9528d05bb7106e795474630e43
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3626D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                                                                                                                                                                        Function 00007FF7C99C53F0 Relevance: .9, Instructions: 891COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
                                                                                                                                                                                                                        • Instruction ID: cdfd69a8eadea1b6a548aecd171b3d18766acb3af96227a656b0296dc652107a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9482E1B3A0D6C18AD794DE24D8446FCBFB1E795B98F488136CA4D4778ACA3CD485CB21
                                                                                                                                                                                                                        Function 00007FF7C99BBB90 Relevance: .6, Instructions: 587COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                                                                                                                                                        • Instruction ID: 5c7ce380f758ce4c72d27d411ff0103aea61b183b4f31aa66422827ba49c9562
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9322E4B3B246508BD728CF25C89AE5E3766F799744B4B8228DF0ACB785DB38D505CB40
                                                                                                                                                                                                                        Function 00007FF7C99C4B98 Relevance: .6, Instructions: 578COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                                                                                                                                                        • Instruction ID: 2487e2660b66021c0a14e7e9fb6640b4e1f2b7abd925a213f22b2e21f02066a3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4532E272B081918BE75CDF24D954ABC7BB1F794B58F418139DA4A87B88DB3CE860CB50
                                                                                                                                                                                                                        Function 00007FF7C99A7288 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                                                                                                                                                        • Instruction ID: 7d6a5c033bf84d24250dc2d1ab363941c38306f0b7941449e6f5d1b236cdf724
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5C19CB7B281908FE350CFBAE400A9D7BB1F39878CB519125DF59A3B09D639E645CB40
                                                                                                                                                                                                                        Function 00007FF7C99C2D58 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                                                                                                                                                        • Instruction ID: e35d228e7930f8312a017e44cbc71c4eef17e24b8e312a127c3000312e26d356
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34A14773A0818646EBA5EE24D8047FDAFA1EBE0764F994135DE4D07786CE3CE841CB21
                                                                                                                                                                                                                        Function 00007FF7C99BAF18 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                                                                                                                                                        • Instruction ID: 32157256f41e5b24a045acd180cb3e87232020f03a1df4128156eac73487c874
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64C1F473A291E04DE302CFB5A4248FD3FB1E75E34DB8A4152EFA666B4AD52C5201DB70
                                                                                                                                                                                                                        Function 00007FF7C99AA310 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 190572456-0
                                                                                                                                                                                                                        • Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                                                                                                                                                        • Instruction ID: f03ecf10e39cb45628a6535c8f2222e5bbaae77c1a11ab1e41493ec042b01571
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6913063B1858196EB51EF29D8516FDAB31FF95798F841031EF4E07A49EE38E606C320
                                                                                                                                                                                                                        Function 00007FF7C99BB534 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                                                                                                                                                        • Instruction ID: 6ac4b09c1380318569d9e45db5615d967701fe59036f1141259ec0e1741736a7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF614923B081D189EB61DF7585408FDBFB1E79A7A4BC54032CF9A53A86DA3CE505CB20
                                                                                                                                                                                                                        Function 00007FF7C99C21D0 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                                                                                                                                                        • Instruction ID: 6de7437cb5f32f9319ed3b5fe10102bc59852d0d513b6bd0ee42bc401a913c87
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99511473B181914BE7A89F28D8087BDBB61FB94B68F844134DB4947A89DE3DE541CB20
                                                                                                                                                                                                                        Function 00007FF7C99C2AB0 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                                                                                                                                                        • Instruction ID: 74a3e3d09a52574cbca2fd223f019d826ea38bee59fece133f397771988d6055
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 123119B2A086814BD758EE1ADA5027EFBE0F785350F488139DF4683B82DA7CE041CB20
                                                                                                                                                                                                                        Function 00007FF7C99BDC70 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                                                                                                                                                                                                        • Instruction ID: 74887edf4c8bf5ad241fd2798626e0f67e80b24458b2ca13507bf3b776094d23
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97F0F4E1F1C00741FBF82C28D81933998759B91330FE484B5D92FC62E5DAAFE8811129
                                                                                                                                                                                                                        Function 00007FF7C99D3354 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                                                                                                                                                        • Instruction ID: 4f21c5225ce4b50bf3ca49bf308615a923a89e0f1876ff4fc86c34c476c48977
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4A001A690C842D0E795AF51A9A5070AA34BB90325BD01071F00D414A4AE2CA8018230
                                                                                                                                                                                                                        Function 00007FF7C99AD7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                                                                                                                                                                        • API String ID: 3668304517-727060406
                                                                                                                                                                                                                        • Opcode ID: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                                                                                                                                                                        • Instruction ID: e99dec728e55839dceeb00f49e82185870d451946e6e9713cab2646dcbd84405
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E041E736B0AF0199EB40EF65E4843E977B5EB887A8F840176DA4C13B68EF38D155C360
                                                                                                                                                                                                                        Function 00007FF7C99D2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                                                                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                        • API String ID: 2565136772-3242537097
                                                                                                                                                                                                                        • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                                                                                                                                                        • Instruction ID: 695c5c6e1acbcecf74a94ef3b83fec5848a2a6307332022329d84fa1c9ebbe84
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A210C61A0DA4381FBD5BF66E89957CBBB0EF857A0FC41075C90E026A1EE3CA485C231
                                                                                                                                                                                                                        Function 00007FF7C99B6A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                                                                                                                                                        • String ID: DXGIDebug.dll$UNC$\\?\
                                                                                                                                                                                                                        • API String ID: 4097890229-4048004291
                                                                                                                                                                                                                        • Opcode ID: 56c6116d5534ddc5b4079fdeed8715d081fed04d0e9eb28ce3c332ce1ff1d7ed
                                                                                                                                                                                                                        • Instruction ID: a16a81dcb38a13d26bab66e8801525ffe402e81ca58cb6a1f22fb4f767d89231
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 56c6116d5534ddc5b4079fdeed8715d081fed04d0e9eb28ce3c332ce1ff1d7ed
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B512AE22B08A4284EF60EF65D4441ADAB71EBC1BA8F904236DF5D07AE9DF3DE545C360
                                                                                                                                                                                                                        Function 00007FF7C99CA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                                                                                                                                                                        • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                                                                                                                                                        • API String ID: 431506467-1315819833
                                                                                                                                                                                                                        • Opcode ID: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                                                                                                                                                                        • Instruction ID: e69a9d005af549575fd3de661828b91e519431c8b37e36aeb7afca3849238044
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33B1C362F1978285FB40AF64D8842BCA771ABC57A8F804235DE5C26AD9DE3CE145C324
                                                                                                                                                                                                                        Function 00007FF7C99C6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                                                                                                                                                                        • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                                                                                                        • API String ID: 2868844859-1533471033
                                                                                                                                                                                                                        • Opcode ID: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                                                                                                                                                                        • Instruction ID: ea64567e52268bbcc5e8a3d67ef6d48890a59dafaead4dd0b87ad117f874e9de
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F281B063F18A4295FB40EFA5D8402EDBB71AF85BA8F800135DE1D1769ADF38D506C320
                                                                                                                                                                                                                        Function 00007FF7C99DE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                                                                        • API String ID: 3215553584-2617248754
                                                                                                                                                                                                                        • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                                                                                                                                                        • Instruction ID: efbfe571c47725e2d2b7fe9575b4bba7f3625bb31c392cc91dd849bde160cd9c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D541BF72A09B4589E784DF65E8817AD7BB4EB583A8F814136EE9C03B54EE3CD025C354
                                                                                                                                                                                                                        Function 00007FF7C99CF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                                                                                                                                                        • String ID: STATIC
                                                                                                                                                                                                                        • API String ID: 2845197485-1882779555
                                                                                                                                                                                                                        • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                                                                                                                                                        • Instruction ID: 2d2e2fe15c6242537053f45eee1a7e9c816e19c34b7da608ba4d956147bcbda6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB31A421B0864242FBE0BF22A954BB9ABB1AFCDBE0F901430DD4E07B55DE3CD4058B60
                                                                                                                                                                                                                        Function 00007FF7C99CAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ItemTextWindow
                                                                                                                                                                                                                        • String ID: LICENSEDLG
                                                                                                                                                                                                                        • API String ID: 2478532303-2177901306
                                                                                                                                                                                                                        • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                                                                                                                                                        • Instruction ID: 733ccbe7946008d9f3ef0da71dbccb525334bcbdd0ac28a00436a834629ea930
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72417C21A0865282FBD4AF62AC54B7DEAB0ABC5FA0F945034D90E03B95CF3CE545C721
                                                                                                                                                                                                                        Function 00007FF7C99BB9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                                                                                                                                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                        • API String ID: 2915667086-2207617598
                                                                                                                                                                                                                        • Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                                                                                                                                                                        • Instruction ID: 6ddd71a6cb8836fb52de330c5b44b1a3a643991a145d5f85f4ac8159e063c015
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2312B20E0DA0680EBE4BF56A854A79BFB0AF86BB0F845135DC4E037A4DE3CE541C320
                                                                                                                                                                                                                        Function 00007FF7C99C87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID: $
                                                                                                                                                                                                                        • API String ID: 3668304517-227171996
                                                                                                                                                                                                                        • Opcode ID: 21e62478960f4ce8d0e7242d7b9149d0a339b7dfd3a44c89ed8729fa7c19746b
                                                                                                                                                                                                                        • Instruction ID: 6a412084dc52fb69769c0146e58e6598f0468f4fd24ea5962348805addf1ac7a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21e62478960f4ce8d0e7242d7b9149d0a339b7dfd3a44c89ed8729fa7c19746b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1F1D062F1464641EF50AF66D9881BCAB71AB84BB8F805631CB6D13BD5DF7CE180C360
                                                                                                                                                                                                                        Function 00007FF7C99D57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                                                                                        • API String ID: 2940173790-393685449
                                                                                                                                                                                                                        • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                                                                                                                                                        • Instruction ID: cd0364834781f35f765501cdc01e0c00ed2826fe261b7e7cf8f793d9da79f1e0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61E1B0739087828AE790AF34D4C83ADBBB0FB85768F940135DA8D4769ACF38E485C711
                                                                                                                                                                                                                        Function 00007FF7C99B4F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AllocClearStringVariant
                                                                                                                                                                                                                        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                                                                                                                                        • API String ID: 1959693985-3505469590
                                                                                                                                                                                                                        • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                                                                                                                                                        • Instruction ID: 5cc880ba51fbf8e5792af093d18fea52dc672e03ba0d28ba5fda9fb603d4ff36
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7714F76A18B0585EB60EF66D8805ADBBB0FBC4BA8B845172DE4D43B64CF3CD544C350
                                                                                                                                                                                                                        Function 00007FF7C99D72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7C99D74F3,?,?,?,00007FF7C99D525E,?,?,?,00007FF7C99D5219), ref: 00007FF7C99D7371
                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,00007FF7C99D74F3,?,?,?,00007FF7C99D525E,?,?,?,00007FF7C99D5219), ref: 00007FF7C99D737F
                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7C99D74F3,?,?,?,00007FF7C99D525E,?,?,?,00007FF7C99D5219), ref: 00007FF7C99D73A9
                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,00000000,00007FF7C99D74F3,?,?,?,00007FF7C99D525E,?,?,?,00007FF7C99D5219), ref: 00007FF7C99D73EF
                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,00000000,00007FF7C99D74F3,?,?,?,00007FF7C99D525E,?,?,?,00007FF7C99D5219), ref: 00007FF7C99D73FB
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                        • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                        • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                                                                                                                                                        • Instruction ID: d66c85f54135b6cb5547b572c57e09dbc77221a3d5c443e6ffb5a57562aaba04
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05319062A1E64281EF92BF46A844579EAA5FF88FB0F994535DD1D47380DF3CE4408730
                                                                                                                                                                                                                        Function 00007FF7C99D1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(?,?,?,00007FF7C99D1573,?,?,?,00007FF7C99D192A), ref: 00007FF7C99D162B
                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF7C99D1573,?,?,?,00007FF7C99D192A), ref: 00007FF7C99D1648
                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF7C99D1573,?,?,?,00007FF7C99D192A), ref: 00007FF7C99D1664
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                                                                        • API String ID: 667068680-1718035505
                                                                                                                                                                                                                        • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                                                                                                                                                        • Instruction ID: 306c5b723bea423c97a9aea5d2f79b9ab19a19609df4d2eae724012b3fc51f94
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE113023E0DB0381FFE9AF55A584174AAB16F897B4FCD5435C81D06394EE3CB5848630
                                                                                                                                                                                                                        Function 00007FF7C99BED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 00007FF7C99B51A4: GetVersionExW.KERNEL32 ref: 00007FF7C99B51D5
                                                                                                                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7C99A5AB4), ref: 00007FF7C99BED8C
                                                                                                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7C99A5AB4), ref: 00007FF7C99BED98
                                                                                                                                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7C99A5AB4), ref: 00007FF7C99BEDA8
                                                                                                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7C99A5AB4), ref: 00007FF7C99BEDB6
                                                                                                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7C99A5AB4), ref: 00007FF7C99BEDC4
                                                                                                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7C99A5AB4), ref: 00007FF7C99BEE05
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2092733347-0
                                                                                                                                                                                                                        • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                                                                                                                                                        • Instruction ID: d406c435be879d2978f3653146c5517a6086b6a3c43f714a218001785c32f906
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7851BEB2B046518BEB54DFB9D4400ACBBB1FB88B98BA0403ADE0D67B58DF38E541C750
                                                                                                                                                                                                                        Function 00007FF7C99BF010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2092733347-0
                                                                                                                                                                                                                        • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                                                                                                                                                        • Instruction ID: f052c1698330ee139110de9265150f534c1e73e1e69b4ce327ed350e6998ecb1
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3314A62B14A518DFB50DFB5D8801BC7770FF48768B94502AEE0EA7A58EF38D495C310
                                                                                                                                                                                                                        Function 00007FF7C99B7918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID: .rar$exe$rar$sfx
                                                                                                                                                                                                                        • API String ID: 3668304517-630704357
                                                                                                                                                                                                                        • Opcode ID: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                                                                                                                                                                        • Instruction ID: 26daaa52e0521ea4599df382184f0bd576d7eef155dae64988c4eeaa76c4ac1a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3DA1AF22A18A0640EB90AF65D8952BCAB71BF84FB8F942235DD1D07BE5DF3CE541C360
                                                                                                                                                                                                                        Function 00007FF7C99D5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                                                                                        • API String ID: 2889003569-2084237596
                                                                                                                                                                                                                        • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                                                                                                                                                        • Instruction ID: ee6d73d36b7c164ea5f22c5aeb0975aa2957e9bd85e80655803143384b34adea
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA91C073A08B818AE790EF64E4843ADBBB0F784798F504129EE8C07B59DF38D195C710
                                                                                                                                                                                                                        Function 00007FF7C99D4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                        • String ID: csm$f
                                                                                                                                                                                                                        • API String ID: 2395640692-629598281
                                                                                                                                                                                                                        • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                                                                                                                                                        • Instruction ID: 2a38f36a4ecfc15d1e7449c0fd8116f4c6cd327ba64cdbf842728de37736138f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2651C733A1964286DB94EF15E488A39BB75FB81BA4F908034DA1E4774CDF78E881C751
                                                                                                                                                                                                                        Function 00007FF7C99ACEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                                                                                                                                                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                                                                                                                        • API String ID: 2102711378-639343689
                                                                                                                                                                                                                        • Opcode ID: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                                                                                                                                                                        • Instruction ID: 440d9f9f6f6d02403f51941a8b2f6420625d674d3dc00d6c51f26e70b8c91d87
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E651DB62E0865285FB90FF71D8406BDBBB0AFC57B4F801130DE9E136A6DE3CA485C220
                                                                                                                                                                                                                        Function 00007FF7C99C7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Window$Show$Rect
                                                                                                                                                                                                                        • String ID: RarHtmlClassName
                                                                                                                                                                                                                        • API String ID: 2396740005-1658105358
                                                                                                                                                                                                                        • Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
                                                                                                                                                                                                                        • Instruction ID: f8677c60fbb11808dea3a7441e2abb99fc6a2d00e96e53605095d5a36eaf07f5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89517322A0974286EBA4AF21E85477EFBB0FBC5BA0F944435DA4E47B55DF3CE0458B10
                                                                                                                                                                                                                        Function 00007FF7C99CFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                                                                                        • API String ID: 0-56093855
                                                                                                                                                                                                                        • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                                                                                                                                                        • Instruction ID: ee27ab43cfd9346b5627931b7768aafca4f71288b1eaa626245dbbbc8e5bf573
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9121E621909A4781FBD0AF25AC44578BFB0EB8ABA4F941036D94E43360DE3CE595DB20
                                                                                                                                                                                                                        Function 00007FF7C99DBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                        • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                                                                                                                                                        • Instruction ID: 1be8397b969e864d81a4dd3565b05bc9e611c34111aef67d8f8f60c085a8f148
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93F06222A1DA4281EFC4AF51F484279BB70EFC8BA4F841035D94F46665EE3CE484C720
                                                                                                                                                                                                                        Function 00007FF7C99E45C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                        • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                                                                                                                                                        • Instruction ID: aeef24c34ebeb011bd9558c9ed656ca35411a1e5ec7af199a757dfccb1620070
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A81AD22E1C65289F7A0AF6598806BDBFB5BB85BA8F804135CD0E53B95CF3DE441C324
                                                                                                                                                                                                                        Function 00007FF7C99B3AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2398171386-0
                                                                                                                                                                                                                        • Opcode ID: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                                                                                                                                                                        • Instruction ID: 62d381e7a0c93dbe75788b5dd9a0924130ad492fc9ac35655776b1e003aa2279
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C651E422B09A4249FBA0EFB5E4553BDAB71ABC4BB8F844635DE1D46BD8DE3C94058310
                                                                                                                                                                                                                        Function 00007FF7C99E3F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3659116390-0
                                                                                                                                                                                                                        • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                                                                                                                                                        • Instruction ID: 694a7c0b92f4d99c04b4ee0707eef7b6b02701ad3f8fc0b712e242bd60d0f5da
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D51D032A18A5189EB50DF65D8443BCBBB0FB987A8F448135CE4E57B99DF38D085C720
                                                                                                                                                                                                                        Function 00007FF7C99D1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 262959230-0
                                                                                                                                                                                                                        • Opcode ID: d07b7da074abff0e0d457bce77dac1cb0a8e060b1f374ff54e111f1298ea021c
                                                                                                                                                                                                                        • Instruction ID: 7dc0bdb2c4941f08bb551d6b08fb33a4146b62d7383c2c4a0963806b8f5e6b7e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d07b7da074abff0e0d457bce77dac1cb0a8e060b1f374ff54e111f1298ea021c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3841FD33A0974585E7A8AF669484378AAB0FF84BF4F944634EA6D477D5DF3CE1418320
                                                                                                                                                                                                                        Function 00007FF7C99DF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 190572456-0
                                                                                                                                                                                                                        • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                                                                                                                                                        • Instruction ID: e535b111b5176e69a9f732663d1fb1e0e1f0944958b9b7733e5d863d147c485a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10412923B29A0281FB95AF126848175FAB1BF98BF0F994535DD2F4B744EE3CE4508360
                                                                                                                                                                                                                        Function 00007FF7C99E56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _set_statfp
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1156100317-0
                                                                                                                                                                                                                        • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                                                                                                                        • Instruction ID: b9d34e2384b52c5f11d823ed6d9fcbe9f8b0030f73d2978b1f5760c6fba4f55e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8411D076E0C607C1FFD43D24E042379B8656FD83B0EC84234EA7D461D68E6DE850412B
                                                                                                                                                                                                                        Function 00007FF7C99CFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3621893840-0
                                                                                                                                                                                                                        • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                                                                                                                                                        • Instruction ID: 9fc50ba5c05fd9c86daf7f289fbc98827de2dd14aad66f0e45d5d6995dbf2b2d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1F04F21B2844682F790AF30E868E3AB631FFF8B15FD41030E54F82994DE2CD149DB20
                                                                                                                                                                                                                        Function 00007FF7C99D625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: __except_validate_context_recordabort
                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                        • API String ID: 746414643-3733052814
                                                                                                                                                                                                                        • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                                                                                                                                                        • Instruction ID: bd6ed162b101ecc49204d6dccea67921d5bc3b3e497c7ef847b72558390ba317
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E71B27360868186D7A0AF25D09877DFFB0EB85BA9F448135DA8C47A89CF3CD491C760
                                                                                                                                                                                                                        Function 00007FF7C99D80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID: $*
                                                                                                                                                                                                                        • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                        • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                                                                                                                                                        • Instruction ID: 79e9fd2cba74bab6aded804a128fe8f0a11db955fd1b32021a843c2785024f60
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B251657390C6428AE7E4AF2A84CD37CBFB0FB86B68F941175C74A5119ACF28D485C625
                                                                                                                                                                                                                        Function 00007FF7C99E1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ByteCharMultiWide$StringType
                                                                                                                                                                                                                        • String ID: $%s
                                                                                                                                                                                                                        • API String ID: 3586891840-3791308623
                                                                                                                                                                                                                        • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                                                                                                                                                        • Instruction ID: da8a7f4d44df605e1ec408e4c2841057cf2c755b66831af960f1f1dd3ee59b85
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A418222B19B854AFBA09F25D8406A9B7B5FB94BB8F880631DE1D077C4DF3CE5418310
                                                                                                                                                                                                                        Function 00007FF7C99D66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                        • API String ID: 2466640111-1018135373
                                                                                                                                                                                                                        • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                                                                                                                                                        • Instruction ID: 53aedf152b6169e0bab17d9347729c1c2a533a0caf9ad12f87d04431d4a36618
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F513B7361974187EBA0AF16A08466EBBB4FBC9BA1F940134DB8D47B55CF38E450CB11
                                                                                                                                                                                                                        Function 00007FF7C99E4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                                        • String ID: U
                                                                                                                                                                                                                        • API String ID: 2456169464-4171548499
                                                                                                                                                                                                                        • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                                                                                                                                                        • Instruction ID: dc9c864ce773dd4964d6467dce1804927d62a9ec5f64da44a947fb63e1cd50e0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9418222719A8182DB909F65E8443B9BBA1FB987A4F844131EE4D87798EF7CD441C760
                                                                                                                                                                                                                        Function 00007FF7C99C90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ObjectRelease
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1429681911-3916222277
                                                                                                                                                                                                                        • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                                                                                                                                                        • Instruction ID: f6c931c9cae0261f5b0520dcf4930a18b6e447600903061ca2ab59de06ba4c92
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B313C3560874186EB88AF22B818A2ABB70F789FE1F905435ED4B43B54CE3CD459DB10
                                                                                                                                                                                                                        Function 00007FF7C99BE870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • InitializeCriticalSection.KERNEL32(?,?,?,00007FF7C99C317F,?,?,00001000,00007FF7C99AE51D), ref: 00007FF7C99BE8BB
                                                                                                                                                                                                                        • CreateSemaphoreW.KERNEL32(?,?,?,00007FF7C99C317F,?,?,00001000,00007FF7C99AE51D), ref: 00007FF7C99BE8CB
                                                                                                                                                                                                                        • CreateEventW.KERNEL32(?,?,?,00007FF7C99C317F,?,?,00001000,00007FF7C99AE51D), ref: 00007FF7C99BE8E4
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                                        • String ID: Thread pool initialization failed.
                                                                                                                                                                                                                        • API String ID: 3340455307-2182114853
                                                                                                                                                                                                                        • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                                                                                                                                                        • Instruction ID: 7f1495333dc14a81a5bd6b65b33f715efcdb527559830de2818e190fa8bf8a3f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D521E732E19A4186F790AF65E4547BD7AB2FBC4B2CF588034CA0D0B295CF7E9485C7A0
                                                                                                                                                                                                                        Function 00007FF7C99C85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CapsDeviceRelease
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 127614599-3916222277
                                                                                                                                                                                                                        • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                                                                                                                                                        • Instruction ID: adeb31a1d52ccac367426d60e46d89cd61b26323d7872c3a067bd97697b13a42
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59E08C20B0864182EFC86FB6B58982EA261AB4CBE0F65A035DA1F43794DE3CC4D48310
                                                                                                                                                                                                                        Function 00007FF7C99AD1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1137671866-0
                                                                                                                                                                                                                        • Opcode ID: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                                                                                                                                                                        • Instruction ID: a2711ae44dcfa0166698f4ee86efe0a1e01ea3796f70a497994d6fa5b549a730
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 21A1B262A18A8281EB60EF65D8451ADAB71FFC57A4FC05131EE9D03AE9DF3CE544C720
                                                                                                                                                                                                                        Function 00007FF7C99C0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1452528299-0
                                                                                                                                                                                                                        • Opcode ID: a1a85338bd98e6dbbf4cbb69018a0b2acca20fb05f372e3efc38fb1d82780d4d
                                                                                                                                                                                                                        • Instruction ID: 4120e9fe916ab78b60032559f6037639a7a6dac37a39db9317e028d107568af4
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a1a85338bd98e6dbbf4cbb69018a0b2acca20fb05f372e3efc38fb1d82780d4d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99519162B14A4299FF40AF75D8442ECA731EBC5BE8F904231EA5C177D6EE2CE644C360
                                                                                                                                                                                                                        Function 00007FF7C99C9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1077098981-0
                                                                                                                                                                                                                        • Opcode ID: b863cc91c4db730fc30b640aae8101ad1aab9759ecbd7d6557df89d0553ffb74
                                                                                                                                                                                                                        • Instruction ID: 76d8bac0a15befb8ef87103d049e4b0f460a91144e1dd0a7030164af4bddab39
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b863cc91c4db730fc30b640aae8101ad1aab9759ecbd7d6557df89d0553ffb74
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B518032A18B4286E7809F61E8447AEBBB4FBC5BA4F901035EA4E57B54DF3CD914CB50
                                                                                                                                                                                                                        Function 00007FF7C99DDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 4141327611-0
                                                                                                                                                                                                                        • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                                                                                                                                                        • Instruction ID: 6569c19c49f309ad0d62f9925927f474da43c10124b168b4969311e05739b495
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9841A433A0C64246F7A1AF2491C8379EAB0EFD0BB4F944131DA4D46EE5DF6DD8418720
                                                                                                                                                                                                                        Function 00007FF7C99B3980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3823481717-0
                                                                                                                                                                                                                        • Opcode ID: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                                                                                                                                                                        • Instruction ID: 4b68ade265a1935d737b3057e30420efda5ed9dbdc34d02512b7dd4e2982c1e0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C841E062F15B5184FB40EFB5D8852ACB771BF84BB8B901231DE1D26A99DF3CD040C210
                                                                                                                                                                                                                        Function 00007FF7C99E0B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7C99DC45B), ref: 00007FF7C99E0B91
                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7C99DC45B), ref: 00007FF7C99E0BF3
                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7C99DC45B), ref: 00007FF7C99E0C2D
                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7C99DC45B), ref: 00007FF7C99E0C57
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1557788787-0
                                                                                                                                                                                                                        • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                                                                                                                                                        • Instruction ID: cb5c53ee98d68fdc3c7836b335dd6c05f4b49fa0ff561cd4b8f240fe5c7d7629
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF213031A1DB5181EBA4AF126440029FBB4FBD8BE0B8C4174DE9E63BA5DF3CE4528714
                                                                                                                                                                                                                        Function 00007FF7C99DD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorLast$abort
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1447195878-0
                                                                                                                                                                                                                        • Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                                                                                                                                                        • Instruction ID: 3b91d87becc86292b1631f146ba84788e4f2d9bcad0293b4cc6779fc376cf182
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D012D12A0960642FBD87F65A69E178D9715FD87F0F844438D91E02BE6ED2CB9458230
                                                                                                                                                                                                                        Function 00007FF7C99C8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CapsDevice$Release
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1035833867-0
                                                                                                                                                                                                                        • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                                                                                                                                                        • Instruction ID: 1fec8907619d6d3d9b38a3f41663cdd09a8f333d9add613ee368d428b1a9f001
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24E0ED60E0960282FFCC7F71685993ABAB0AF48B61F98947AC81F47350DD3CA095D620
                                                                                                                                                                                                                        Function 00007FF7C99AE34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                        • String ID: DXGIDebug.dll
                                                                                                                                                                                                                        • API String ID: 3668304517-540382549
                                                                                                                                                                                                                        • Opcode ID: 2b89549b7426e50bfd34945384ed8c0e8b0bf6c6c1231d7991053c614d04a2bf
                                                                                                                                                                                                                        • Instruction ID: e871640294b8fe55abdff67904199b8661b7c4efa2b4ce4989abc4687b41879b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b89549b7426e50bfd34945384ed8c0e8b0bf6c6c1231d7991053c614d04a2bf
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6471BD72A14B8186EB64DF65E9443ADB3B8FB947A4F804225DFAC03B95DF38D151C310
                                                                                                                                                                                                                        Function 00007FF7C99DE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID: e+000$gfff
                                                                                                                                                                                                                        • API String ID: 3215553584-3030954782
                                                                                                                                                                                                                        • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                                                                                                                                                        • Instruction ID: 23c2e43cc2f35f84a0ff17b1b8bda1306eacdad9e896b96687704d933bebe062
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83510363B187C146E7A59F759985369EEA1ABC1BA0F888231CB9C87BD5CF2CD444C720
                                                                                                                                                                                                                        Function 00007FF7C99B9408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                                                                                                                                                        • String ID: SIZE
                                                                                                                                                                                                                        • API String ID: 449872665-3243624926
                                                                                                                                                                                                                        • Opcode ID: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                                                                                                                                                                        • Instruction ID: 08e483b071e5099ada1b8f00573bf2153e7bbb966868f6a9364650d99557a688
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C41C363A2868295EBA0EF14E4453BDA770EFC57B8F904231EE9D066D6EE7CD540C720
                                                                                                                                                                                                                        Function 00007FF7C99DC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                        • String ID: C:\Users\user\Desktop\442.docx.exe
                                                                                                                                                                                                                        • API String ID: 3307058713-3798399066
                                                                                                                                                                                                                        • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                                                                                                                                                        • Instruction ID: ec774e4fcad5808472258ed96a78b4bc43c029bae2b868cce4c0bf656870e313
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87416533A0865286EB94EF25A8850BDFBB4EFC47E4B845035E94E47B95EE3DE441C360
                                                                                                                                                                                                                        Function 00007FF7C99C9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ItemText$DialogWindow
                                                                                                                                                                                                                        • String ID: ASKNEXTVOL
                                                                                                                                                                                                                        • API String ID: 445417207-3402441367
                                                                                                                                                                                                                        • Opcode ID: 75a4ef6a6cdb84fc8c98b7401f85638b76a9530d4b428818baa7d4c6ec3066de
                                                                                                                                                                                                                        • Instruction ID: b51f7fe202f400db4365ec9e905e28ef499cf6146a69e4587e87d3ab3c0b4d3f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75a4ef6a6cdb84fc8c98b7401f85638b76a9530d4b428818baa7d4c6ec3066de
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4417F22A0868281FBD4BF22E8542B9ABB1EFC5BE1F944035DE4E07795CE3DE541C760
                                                                                                                                                                                                                        Function 00007FF7C99B9638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ByteCharMultiWide_snwprintf
                                                                                                                                                                                                                        • String ID: $%s$@%s
                                                                                                                                                                                                                        • API String ID: 2650857296-834177443
                                                                                                                                                                                                                        • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                                                                                                                                                        • Instruction ID: 5f2de7db36c021696465f58f22312002f60e029c16342c3ae583f515b6f4c7ee
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7631C672B29A4685EBA0EF66D4406E9ABB0FB85BE8F801032DE0D07755DE3CE505C750
                                                                                                                                                                                                                        Function 00007FF7C99DEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FileHandleType
                                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                                        • API String ID: 3000768030-2766056989
                                                                                                                                                                                                                        • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                                                                                                                                                        • Instruction ID: 466fa9034856f7bcd103dbd6a8ea7f5ec3c97cde71ae2fdc7498e832f7817bec
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 29217133A08A8241EBA4AF6694D4139AE61EB85774FAC1335D66F077D4CE3DE881C321
                                                                                                                                                                                                                        Function 00007FF7C99D4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C99D1D3E), ref: 00007FF7C99D40BC
                                                                                                                                                                                                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C99D1D3E), ref: 00007FF7C99D4102
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                        • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                        • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                                                                                                                                                        • Instruction ID: 63f8875d63f356942934985eb12f5bf13cdda79849041a7839a6895d1bab4659
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B118F32608B4182EB609F15E444269BBF0FB88BA4F584230DF8C07B94DF3CC551C740
                                                                                                                                                                                                                        Function 00007FF7C99BEA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C99BE95F,?,?,?,00007FF7C99B463A,?,?,?), ref: 00007FF7C99BEA63
                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C99BE95F,?,?,?,00007FF7C99B463A,?,?,?), ref: 00007FF7C99BEA6E
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ErrorLastObjectSingleWait
                                                                                                                                                                                                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                                                                        • API String ID: 1211598281-2248577382
                                                                                                                                                                                                                        • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                                                                                                                                                        • Instruction ID: fcd8821df67ac3958fbe3c135e86dbac5b6ea928cb98aa187bf9158d0a814e22
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69E0E565E1984281E790BF66AC565A8BA30BFA17B0FD01330D03E425E19E6CA985C320
                                                                                                                                                                                                                        Function 00007FF7C99BA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.2056898409.00007FF7C99A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C99A0000, based on PE: true
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2056803124.00007FF7C99A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C99FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057211844.00007FF7C9A04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 00000000.00000002.2057430253.00007FF7C9A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7c99a0000_442.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FindHandleModuleResource
                                                                                                                                                                                                                        • String ID: RTL
                                                                                                                                                                                                                        • API String ID: 3537982541-834975271
                                                                                                                                                                                                                        • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                                                                                                                                                        • Instruction ID: 8cf5d17ddb992ecebf32356a8fea844e08e178d49d7e54124db1e6fca97661fe
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4DD05B91F0D60141FF596FB654453356A705F5CB51FC44078CC0D06350DE2CD5C4C760

                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                        Execution Coverage:1%
                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                        Signature Coverage:5.8%
                                                                                                                                                                                                                        Total number of Nodes:1056
                                                                                                                                                                                                                        Total number of Limit Nodes:13
                                                                                                                                                                                                                        execution_graph 5714 5fc345a0 5715 5fc345cf 5714->5715 5718 5fc3473c 5714->5718 5716 5fc345d5 5715->5716 5720 5fc34690 5715->5720 5733 6009dbf0 malloc 5716->5733 5727 6009ed7c 5718->5727 5741 5fc313e0 5718->5741 5728 6009ed89 5727->5728 5730 5fc313e0 5 API calls 5727->5730 5731 6009ed92 5728->5731 5732 5fc313e0 5 API calls 5728->5732 5730->5728 5732->5731 5734 6009dc15 5733->5734 5735 6009f994 fwrite 5734->5735 5739 6009f9e7 5734->5739 5737 6009f9bd fputs 5735->5737 5736 6009f9f3 abort free 5736->5739 5738 6009f9d2 fputc 5737->5738 5738->5739 5739->5736 5740 6009fa35 5739->5740 5744 5fff4970 5741->5744 5745 5fff4982 _lock 5744->5745 5746 5fc313f7 5744->5746 5747 5fff4994 5745->5747 5748 5fff49f0 calloc 5745->5748 5746->5727 5750 5fff499e _unlock 5747->5750 5751 5fff49c0 realloc 5747->5751 5748->5747 5749 5fff4a1a _unlock 5748->5749 5749->5746 5750->5746 5751->5749 5752 5fff49de 5751->5752 5752->5750 6125 5fc322c0 6126 5fc322e6 6125->6126 6127 5fc32403 memcpy 6126->6127 6128 5fc32447 memcpy 6126->6128 6127->6126 6128->6126 6560 5fc31d00 6561 5fc31d0f 6560->6561 6562 5fc31d31 6561->6562 6564 5fc35ac0 6561->6564 6565 5fc35b35 6564->6565 6566 5fc35ade 6564->6566 6565->6562 6567 5fc35b7f 6566->6567 6568 5fc35af3 6566->6568 6571 5ff4f7e0 4 API calls 6567->6571 6569 5fc35b20 6568->6569 6579 5fc4c8f0 6568->6579 6570 5ff4f7e0 4 API calls 6569->6570 6570->6565 6573 6009ef2a 6571->6573 6576 5ff4f7e0 4 API calls 6573->6576 6574 5fc35b1a 6574->6569 6605 5fc4f8b0 6574->6605 6578 6009ef3a 6576->6578 6577 5ff4f7e0 4 API calls 6577->6578 6578->6577 6580 5fc4ca2e 6579->6580 6581 5fc4c905 6579->6581 6583 5fd2bfc0 10 API calls 6580->6583 6582 5fc4c95a 6581->6582 6584 5fc4cac3 6581->6584 6585 5fc4c91c 6581->6585 6582->6574 6586 5fc4ca4f 6583->6586 6591 5fd2bfc0 10 API calls 6584->6591 6587 5fc4ca75 6585->6587 6588 5fc4c928 6585->6588 6589 5fd2c340 10 API calls 6586->6589 6593 5fd2bfc0 10 API calls 6587->6593 6590 5fc4c992 6588->6590 6599 5fc4c93d 6588->6599 6589->6582 6595 5fd2bfc0 10 API calls 6590->6595 6592 5fc4cae4 6591->6592 6594 5fd2c340 10 API calls 6592->6594 6596 5fc4ca9d 6593->6596 6594->6582 6597 5fc4c9b7 6595->6597 6598 5fd2c340 10 API calls 6596->6598 6600 5fd2c340 10 API calls 6597->6600 6598->6582 6599->6582 6626 5fce02e0 6599->6626 6602 5fc4c9d3 6600->6602 6602->6574 6606 5fc4f8c6 6605->6606 6607 5fc4f9a0 6605->6607 6608 5fc4f975 6606->6608 6609 5fc4f9e0 6606->6609 6613 5fc4f8d0 6606->6613 6607->6569 6619 5fc4f952 6608->6619 6856 5fc6d160 6608->6856 6610 5fc6d160 15 API calls 6609->6610 6609->6619 6610->6613 6612 5fc4f904 6617 5fc4f918 6612->6617 6837 5fc6d260 6612->6837 6613->6612 6615 5fc4fa70 6613->6615 6613->6619 6616 5fc6d260 15 API calls 6615->6616 6616->6619 6618 5fc6d260 15 API calls 6617->6618 6617->6619 6620 5fc4f937 6617->6620 6618->6620 6619->6569 6620->6619 6621 5fc6d260 15 API calls 6620->6621 6624 5fc4f940 6620->6624 6621->6624 6622 5fc4f949 6622->6619 6625 5fc6d260 15 API calls 6622->6625 6623 5fc6d260 15 API calls 6623->6622 6624->6619 6624->6622 6624->6623 6625->6619 6627 5fce02ff 6626->6627 6628 5fc4c9e5 6627->6628 6649 5fd74f80 GetLastError TlsGetValue SetLastError 6627->6649 6628->6582 6630 5fc473d0 6628->6630 6631 5fc474e0 6630->6631 6632 5fc473d8 6630->6632 6631->6582 6638 5fc47449 6632->6638 6639 5fc473fb 6632->6639 6704 5fce03f0 6632->6704 6635 5fc4742c 6636 5fc47591 6635->6636 6640 5fc47488 6635->6640 6641 5fc47437 6635->6641 6636->6582 6637 5fc474cc 6637->6582 6638->6582 6639->6637 6650 5fcdfc10 6639->6650 6642 5fd2bfc0 10 API calls 6640->6642 6641->6638 6643 5fd2bfc0 10 API calls 6641->6643 6644 5fc474b0 6642->6644 6645 5fc47568 6643->6645 6646 5fd2c340 10 API calls 6644->6646 6647 5fd2c340 10 API calls 6645->6647 6646->6637 6648 5fc47584 6647->6648 6648->6582 6649->6628 6651 5fcdfc37 6650->6651 6679 5fcdfc3b 6651->6679 6707 5fd74f80 GetLastError TlsGetValue SetLastError 6651->6707 6654 5fce0020 6795 5fd74f80 GetLastError TlsGetValue SetLastError 6654->6795 6656 5fce003c 6657 5fce00b0 6656->6657 6658 5fce0044 6656->6658 6664 5fd2bfc0 10 API calls 6657->6664 6667 5fdad400 13 API calls 6658->6667 6662 5fd74f80 GetLastError TlsGetValue SetLastError 6672 5fcdfc5c 6662->6672 6670 5fce00eb 6664->6670 6665 5fcdfcb1 SwitchToFiber 6671 5fd5c050 4 API calls 6665->6671 6666 5fcdfda0 6675 5fd2bfc0 10 API calls 6666->6675 6667->6679 6668 5fd612f0 10 API calls 6668->6672 6673 5fd2c340 10 API calls 6670->6673 6671->6672 6672->6654 6672->6657 6672->6662 6672->6665 6672->6666 6672->6668 6676 5fcdfd3d memcpy 6672->6676 6677 5fce010c 6672->6677 6678 5fcdfec2 CreateFiber 6672->6678 6672->6679 6708 5fd5c050 6672->6708 6714 5fd5c100 6672->6714 6731 5fcdf8f0 6672->6731 6763 5fd614d0 6672->6763 6774 5fd61180 6672->6774 6792 5fe74530 ConvertThreadToFiber 6672->6792 6794 5fd74fc0 TlsSetValue 6672->6794 6673->6679 6681 5fcdfdc1 6675->6681 6676->6672 6796 5fd74f80 GetLastError TlsGetValue SetLastError 6677->6796 6678->6672 6703 5fcdffd0 6678->6703 6679->6635 6684 5fd2c340 10 API calls 6681->6684 6682 5fd5c050 4 API calls 6682->6672 6687 5fcdfddd 6684->6687 6685 5fce0118 6686 5fce015c 6685->6686 6689 5fce011e 6685->6689 6693 5fd2bfc0 10 API calls 6686->6693 6718 5fd74f80 GetLastError TlsGetValue SetLastError 6687->6718 6688 5fcdfff0 DeleteFiber 6688->6679 6692 5fdad400 13 API calls 6689->6692 6691 5fcdfdec 6694 5fcdfdf6 6691->6694 6695 5fcdff93 6691->6695 6692->6679 6696 5fce017d 6693->6696 6719 5fdad400 6694->6719 6699 5fd2bfc0 10 API calls 6695->6699 6697 5fd2c340 10 API calls 6696->6697 6697->6679 6700 5fcdffb4 6699->6700 6702 5fd2c340 10 API calls 6700->6702 6701 5fcdfe26 6701->6635 6702->6703 6703->6688 6705 5fd614d0 12 API calls 6704->6705 6706 5fce040f 6705->6706 6706->6639 6707->6672 6710 5fd5c06d 6708->6710 6709 5fd5c086 6712 5fd5c0ae 6709->6712 6798 5fd74fc0 TlsSetValue 6709->6798 6710->6709 6797 5fd74f80 GetLastError TlsGetValue SetLastError 6710->6797 6712->6672 6715 5fd5c110 6714->6715 6717 5fcdfd72 SwitchToFiber 6714->6717 6715->6717 6799 5fd74f80 GetLastError TlsGetValue SetLastError 6715->6799 6717->6682 6718->6691 6720 5fdad411 6719->6720 6727 5fdad43a 6719->6727 6721 5fdad41b 6720->6721 6722 5fdad484 6720->6722 6800 5fdac640 6721->6800 6725 5fd2bfc0 10 API calls 6722->6725 6724 5fdad429 6724->6727 6729 5fdad453 memmove 6724->6729 6726 5fdad4a5 6725->6726 6728 5fd2c340 10 API calls 6726->6728 6727->6701 6730 5fdad4c1 6728->6730 6729->6727 6730->6701 6732 5fcdfa40 6731->6732 6734 5fcdf905 6731->6734 6733 5fd2bfc0 10 API calls 6732->6733 6735 5fcdfa63 6733->6735 6736 5fd61180 19 API calls 6734->6736 6760 5fcdf925 6734->6760 6737 5fd2c340 10 API calls 6735->6737 6738 5fcdf94d 6736->6738 6739 5fcdfa7f 6737->6739 6740 5fd614d0 12 API calls 6738->6740 6738->6760 6739->6672 6741 5fcdf96d 6740->6741 6741->6760 6818 5fdacb80 6741->6818 6743 5fcdf983 6744 5fcdfbb4 6743->6744 6748 5fcdf98d 6743->6748 6747 5fd2bfc0 10 API calls 6744->6747 6745 5fd614d0 12 API calls 6745->6748 6749 5fcdfbd5 6747->6749 6748->6745 6750 5fcdf9a0 CreateFiber 6748->6750 6753 5fdad400 13 API calls 6748->6753 6757 5fcdf99a 6748->6757 6752 5fd2c340 10 API calls 6749->6752 6750->6748 6751 5fcdfa90 6750->6751 6755 5fcdfaab DeleteFiber 6751->6755 6752->6760 6753->6748 6754 5fcdfa23 6756 5fd2bfc0 10 API calls 6754->6756 6754->6760 6755->6757 6758 5fcdfb01 6756->6758 6831 5fd74fc0 TlsSetValue 6757->6831 6759 5fd2c340 10 API calls 6758->6759 6762 5fcdfb1d 6759->6762 6760->6672 6761 5fcdfb5b DeleteFiber 6761->6762 6762->6760 6762->6761 6764 5fd61542 6763->6764 6765 5fd614ef 6763->6765 6766 5fd6150c 6764->6766 6767 5fd61559 malloc 6764->6767 6768 5fd61520 6765->6768 6770 5fd61506 6765->6770 6766->6672 6769 5fd61524 memset 6767->6769 6767->6770 6768->6766 6768->6769 6769->6672 6770->6766 6771 5fd2bfc0 10 API calls 6770->6771 6772 5fd61586 6771->6772 6773 5fd2c340 10 API calls 6772->6773 6773->6766 6832 5fd74f80 GetLastError TlsGetValue SetLastError 6774->6832 6776 5fd61192 6777 5fd61198 6776->6777 6778 5fd614d0 12 API calls 6776->6778 6779 5fd612f0 10 API calls 6777->6779 6780 5fd611ff 6778->6780 6784 5fd611b4 6779->6784 6780->6784 6833 5fd74fc0 TlsSetValue 6780->6833 6782 5fd61257 6835 5fd74fc0 TlsSetValue 6782->6835 6784->6672 6785 5fd61215 6785->6782 6785->6784 6834 5fd74e80 EnterCriticalSection 6785->6834 6787 5fd61253 6787->6782 6788 5fdad400 13 API calls 6787->6788 6789 5fd6129e 6788->6789 6836 5fd74ea0 LeaveCriticalSection 6789->6836 6791 5fd612ab 6791->6777 6791->6782 6793 5fe7454e 6792->6793 6793->6672 6794->6672 6795->6656 6796->6685 6797->6709 6798->6712 6799->6717 6801 5fdac65e 6800->6801 6802 5fdac710 6800->6802 6803 5fdac67b 6801->6803 6804 5fdac7c5 6801->6804 6808 5fd2bfc0 10 API calls 6802->6808 6805 5fdac686 6803->6805 6807 5fdac6b1 6803->6807 6813 5fdac77c 6803->6813 6806 5fd614d0 12 API calls 6804->6806 6805->6807 6810 5fd613c0 free 6805->6810 6806->6807 6807->6724 6809 5fdac731 6808->6809 6811 5fd2c340 10 API calls 6809->6811 6810->6807 6812 5fdac74d 6811->6812 6812->6724 6814 5fd2bfc0 10 API calls 6813->6814 6815 5fdac79d 6814->6815 6816 5fd2c340 10 API calls 6815->6816 6817 5fdac7b9 6816->6817 6817->6724 6819 5fd614d0 12 API calls 6818->6819 6820 5fdacba5 6819->6820 6821 5fdacbc3 6820->6821 6822 5fdacc20 6820->6822 6828 5fdacc03 6820->6828 6823 5fdacbdb 6821->6823 6824 5fdacca0 6821->6824 6827 5fd2bfc0 10 API calls 6822->6827 6826 5fd613c0 free 6823->6826 6823->6828 6825 5fd614d0 12 API calls 6824->6825 6825->6828 6826->6828 6829 5fdacc41 6827->6829 6828->6743 6830 5fd2c340 10 API calls 6829->6830 6830->6828 6831->6754 6832->6776 6833->6785 6834->6787 6835->6784 6836->6791 6838 5fc6d320 6837->6838 6839 5fc6d271 6837->6839 6842 5fc68640 10 API calls 6838->6842 6840 5fc6d305 6839->6840 6841 5fc6d27c 6839->6841 6882 5fdb22f0 EnterCriticalSection 6840->6882 6844 5fc6d2c0 6841->6844 6845 5fc6d281 6841->6845 6846 5fc6d2f4 6842->6846 6876 5fc68640 6844->6876 6874 5fdb22f0 EnterCriticalSection 6845->6874 6850 5fc6d2f8 6846->6850 6851 6009f741 GetModuleHandleA 6846->6851 6848 5fc6d28f 6875 5fdb2330 LeaveCriticalSection 6848->6875 6850->6617 6853 6009f7e9 6851->6853 6854 6009f7b9 GetProcAddress GetProcAddress 6851->6854 6853->6617 6854->6853 6855 5fc6d2b1 6855->6617 6857 5fc6d225 6856->6857 6858 5fc6d173 6856->6858 6859 5fc68640 10 API calls 6857->6859 6860 5fc6d200 6858->6860 6861 5fc6d17e 6858->6861 6868 5fc6d1f4 6859->6868 6885 5fdb22f0 EnterCriticalSection 6860->6885 6863 5fc6d183 6861->6863 6864 5fc6d1c0 6861->6864 6883 5fdb22f0 EnterCriticalSection 6863->6883 6865 5fc68640 10 API calls 6864->6865 6865->6868 6867 5fc6d1ac 6867->6619 6868->6867 6870 6009f741 GetModuleHandleA 6868->6870 6869 5fc6d191 6884 5fdb2330 LeaveCriticalSection 6869->6884 6872 6009f7b9 GetProcAddress GetProcAddress 6870->6872 6873 6009f7e9 6870->6873 6872->6873 6873->6619 6874->6848 6875->6855 6877 5fc68648 6876->6877 6878 5fd2bfc0 10 API calls 6877->6878 6879 5fc68664 6878->6879 6880 5fd2c0e0 10 API calls 6879->6880 6881 5fc68688 6880->6881 6881->6846 6882->6848 6883->6869 6884->6867 6885->6869 6886 5fc31c80 6888 5fc31c8f 6886->6888 6887 5fc31c9d 6888->6887 6889 5ff4f7e0 4 API calls 6888->6889 6890 6009ef0a 6889->6890 6891 5ff4f7e0 4 API calls 6890->6891 6892 6009ef1a 6891->6892 6893 5ff4f7e0 4 API calls 6892->6893 6894 6009ef2a 6893->6894 6895 5ff4f7e0 4 API calls 6894->6895 6897 6009ef3a 6895->6897 6896 5ff4f7e0 4 API calls 6896->6897 6897->6896 6933 5fc32aa0 6936 5fc32b7e 6933->6936 6934 5fc33260 6935 5fc33287 memcpy 6934->6935 6937 5fc33380 6935->6937 6936->6934 6936->6937 6938 5fc33221 memcpy 6936->6938 6939 5fc333a1 memcpy 6937->6939 6938->6934 5753 5fd612f0 5754 5fd61332 5753->5754 5757 5fd6130e 5753->5757 5755 5fd61349 malloc 5754->5755 5761 5fd61329 5754->5761 5756 5fd61355 5755->5756 5755->5757 5757->5761 5762 5fd2bfc0 5757->5762 5764 5fd2bfd8 5762->5764 5763 5fd2c043 5772 5fd2c340 5763->5772 5764->5763 5765 5fd2c055 strlen 5764->5765 5768 5fd2c00c 5764->5768 5775 5fd612f0 5765->5775 5767 5fd2c078 5767->5768 5769 5fd2c082 strcpy 5767->5769 5768->5763 5770 5fd2c090 strlen 5768->5770 5769->5768 5771 5fd612f0 7 API calls 5770->5771 5771->5763 5784 5fd2c0e0 5772->5784 5774 5fd2c367 5774->5761 5776 5fd61332 5775->5776 5779 5fd6130e 5775->5779 5777 5fd61349 malloc 5776->5777 5783 5fd61329 5776->5783 5778 5fd61355 5777->5778 5777->5779 5778->5767 5780 5fd2bfc0 9 API calls 5779->5780 5779->5783 5781 5fd61379 5780->5781 5782 5fd2c340 9 API calls 5781->5782 5782->5783 5783->5767 5785 5fd2c0ec 5784->5785 5786 5fd2c137 5785->5786 5787 5fd613c0 free 5785->5787 5794 5fd2c16c 5785->5794 5788 5fd2c271 5786->5788 5789 5fd2c13f 5786->5789 5787->5786 5799 5fce8a30 5788->5799 5795 5fd613c0 5789->5795 5793 5fd613c0 free 5793->5794 5794->5774 5796 5fd613e1 5795->5796 5797 5fd61440 free 5796->5797 5798 5fd613f8 5796->5798 5797->5798 5798->5794 5802 5fce7c60 5799->5802 5807 5fce7cad 5802->5807 5803 5fce7cbc 5810 5fce6700 5803->5810 5805 5fce7cde 5805->5793 5806 5fce6700 10 API calls 5806->5807 5807->5803 5807->5805 5807->5806 5819 5fce7610 5807->5819 5838 5fce6850 5807->5838 5812 5fce6713 5810->5812 5811 5fce6723 5811->5805 5812->5811 5813 5fce679e 5812->5813 5814 5fce67d1 5812->5814 5816 5fd613c0 free 5813->5816 5815 5fd612f0 9 API calls 5814->5815 5817 5fce67e9 5815->5817 5816->5811 5817->5811 5818 5fce680b memcpy 5817->5818 5818->5811 5821 5fce765b 5819->5821 5827 5fce77d1 5819->5827 5820 5fd612f0 7 API calls 5820->5827 5822 5fce7767 strlen 5821->5822 5822->5827 5823 5fce7a31 memcpy 5823->5827 5824 5fce786d 5824->5807 5825 5fce6700 7 API calls 5825->5827 5826 5fce788e 5826->5824 5829 5fce6700 7 API calls 5826->5829 5830 5fce78d1 5826->5830 5827->5820 5827->5823 5827->5824 5827->5825 5827->5826 5831 5fd613c0 free 5827->5831 5833 5fce7a73 5827->5833 5828 5fce6700 7 API calls 5828->5830 5829->5826 5830->5824 5830->5828 5832 5fce7bf5 5830->5832 5831->5827 5832->5824 5836 5fce6700 7 API calls 5832->5836 5833->5824 5834 5fd612f0 7 API calls 5833->5834 5835 5fd613c0 free 5833->5835 5837 5fce7b9e memcpy 5833->5837 5834->5833 5835->5833 5836->5832 5837->5833 5860 5fce6892 5838->5860 5839 5fce6ddf 5840 5fce6700 9 API calls 5839->5840 5841 5fce6e06 5840->5841 5841->5807 5842 5fce72e0 5843 5fce6700 9 API calls 5842->5843 5847 5fce7389 5842->5847 5851 5fce7337 5843->5851 5844 5fce7474 5846 5fce6700 9 API calls 5844->5846 5854 5fce74ab 5844->5854 5845 5fce6700 9 API calls 5845->5847 5848 5fce7552 5846->5848 5847->5844 5847->5845 5849 5fce6d2f 5847->5849 5848->5849 5852 5fce75d7 5848->5852 5853 5fce7562 5848->5853 5849->5807 5850 5fce6700 9 API calls 5850->5854 5851->5847 5851->5849 5855 5fce6700 9 API calls 5851->5855 5856 5fce6700 9 API calls 5852->5856 5857 5fce6700 9 API calls 5853->5857 5854->5849 5854->5850 5855->5851 5858 5fce7583 5856->5858 5857->5858 5858->5849 5858->5854 5859 5fce6700 9 API calls 5858->5859 5859->5858 5860->5839 5860->5842 5860->5844 5860->5849 5865 5fce6ca1 5860->5865 5861 5fce6ce0 5862 5fce6700 9 API calls 5861->5862 5867 5fce6cf0 5861->5867 5862->5867 5863 5fce6fab 5863->5861 5866 5fce6fb3 5863->5866 5864 5fce6700 9 API calls 5864->5867 5865->5861 5865->5863 5865->5866 5871 5fce6ffe 5865->5871 5868 5fce6700 9 API calls 5866->5868 5870 5fce6fbf 5866->5870 5867->5842 5867->5849 5867->5864 5868->5870 5869 5fce6700 9 API calls 5869->5870 5870->5849 5870->5867 5870->5869 5871->5849 5871->5861 5872 5fd613c0 free 5871->5872 5873 5fd612f0 9 API calls 5871->5873 5874 5fce712e memcpy 5871->5874 5872->5871 5873->5871 5874->5871 6129 6007a400 6130 6007a413 6129->6130 6145 6007a4d0 6129->6145 6131 6007a427 6130->6131 6132 6007a500 6130->6132 6133 6007a55a 6131->6133 6136 6007a452 6131->6136 6137 6007a540 6131->6137 6134 6007a520 memset 6132->6134 6135 6007a50d 6132->6135 6140 6007a598 memset 6133->6140 6142 6007a572 6133->6142 6134->6135 6139 6009dbf0 6 API calls 6136->6139 6138 6009dbf0 6 API calls 6137->6138 6138->6133 6141 6007a46b 6139->6141 6140->6142 6143 6007a4ab memmove 6141->6143 6144 6007a480 memset 6141->6144 6142->6143 6142->6145 6143->6145 6144->6143 6146 5fd8b650 6149 5fd89fc0 6146->6149 6148 5fd8b687 6150 5fd8a010 6149->6150 6151 5fd8a03d 6150->6151 6152 5fd2bfc0 10 API calls 6150->6152 6151->6148 6153 5fd8a091 6152->6153 6154 5fd2c340 10 API calls 6153->6154 6154->6151 6906 5fd82210 6907 5fd8221b 6906->6907 6908 5fd82239 6906->6908 6907->6908 6910 5fd81d20 6907->6910 6911 5fd81d54 6910->6911 6912 5fd81dc0 6911->6912 6930 5fd74e60 EnterCriticalSection 6911->6930 6915 5fd2bfc0 10 API calls 6912->6915 6914 5fd81d82 6914->6912 6916 5fd81d86 6914->6916 6917 5fd81de1 6915->6917 6918 5fd81d8f 6916->6918 6919 5fd81e04 6916->6919 6920 5fd2c340 10 API calls 6917->6920 6931 5fd74ea0 LeaveCriticalSection 6918->6931 6932 5fd74ea0 LeaveCriticalSection 6919->6932 6922 5fd81dfd 6920->6922 6922->6908 6924 5fd81dae 6925 5fd2bfc0 10 API calls 6924->6925 6926 5fd81db2 6924->6926 6927 5fd81e32 6925->6927 6926->6908 6928 5fd2c340 10 API calls 6927->6928 6929 5fd81e4e 6928->6929 6929->6908 6930->6914 6931->6924 6932->6924 5875 6009e260 5877 6009e286 5875->5877 5879 6009e2d2 5875->5879 5876 6009e348 5877->5879 5924 60047c80 5877->5924 5879->5876 5883 6009e53a 5879->5883 5890 6009e4e0 5879->5890 5899 6009e487 5879->5899 5880 6009e50d 5881 6009e4a0 5884 6009e4b0 5881->5884 5885 6009e7d6 5881->5885 5935 5fffbac0 5883->5935 5884->5890 5928 5ffe8ba0 5884->5928 5887 5fffbac0 31 API calls 5885->5887 5891 6009e7e9 5887->5891 5889 6009e4cc 5893 5ffe8ba0 7 API calls 5889->5893 5890->5880 5913 6009f871 5890->5913 5894 5fffbc80 31 API calls 5891->5894 5892 6009e545 5941 5fffbc80 5892->5941 5893->5890 5898 6009e7f7 5894->5898 5896 6009e55b 5897 5fffbc80 31 API calls 5896->5897 5896->5899 5903 5fffbd40 31 API calls 5896->5903 5963 6009dd60 5896->5963 5897->5896 5900 5fffbc80 31 API calls 5898->5900 5899->5881 5899->5896 5910 6009e680 5899->5910 5901 6009e800 5900->5901 5901->5884 5902 6009e9dc 5902->5890 5904 6009f844 abort 5902->5904 5903->5896 5904->5890 5906 6009e946 5906->5910 5978 5fffbd40 5906->5978 6002 5fffba50 5906->6002 6008 5fffbb90 5906->6008 5908 5fffbac0 31 API calls 5908->5913 5910->5881 5910->5884 5910->5890 5910->5902 5910->5906 5911 5fffbb90 31 API calls 5911->5913 5912 6009f907 5914 6009f92f abort 5912->5914 5913->5908 5913->5911 5913->5912 5915 6009dce0 5914->5915 5916 6009f93d abort 5915->5916 5917 6009f944 5916->5917 5918 6009f994 fwrite 5917->5918 5922 6009f9e7 5917->5922 5920 6009f9bd fputs 5918->5920 5919 6009f9f3 abort free 5919->5922 5921 6009f9d2 fputc 5920->5921 5921->5922 5922->5919 5923 6009fa35 5922->5923 5925 60047c90 5924->5925 5926 60047cb8 5924->5926 5925->5926 5927 60047c9a strcmp 5925->5927 5926->5879 5927->5926 5929 5ffe8bb9 5928->5929 5930 600a2382 6 API calls 5928->5930 5929->5930 5933 5ffe8bd9 5929->5933 5931 600a23ea rand_s 5930->5931 5932 600a23e9 5930->5932 5934 600a23fe 5931->5934 5932->5889 5933->5889 5934->5889 5936 5fffbad3 5935->5936 5937 5fffbc80 31 API calls 5936->5937 5939 5fffbae8 5936->5939 5938 5fffbb6c 5937->5938 5940 5fffbd40 31 API calls 5938->5940 5939->5892 5939->5939 5940->5939 5942 5fffbc84 5941->5942 5943 5fffbc94 5941->5943 5942->5896 5942->5943 5944 6009f818 abort 5942->5944 5943->5896 5945 6009f820 5944->5945 5946 6009f82c abort 5945->5946 5947 6009f831 5945->5947 5946->5947 5948 6009f844 abort 5947->5948 5952 6009f849 5947->5952 5948->5952 5949 5fffbac0 21 API calls 5949->5952 5950 5fffbb90 21 API calls 5950->5952 5951 6009f907 5953 6009f92f abort 5951->5953 5952->5949 5952->5950 5952->5951 5954 6009dce0 5953->5954 5955 6009f93d abort 5954->5955 5956 6009f944 5955->5956 5957 6009f994 fwrite 5956->5957 5960 6009f9e7 5956->5960 5959 6009f9bd fputs 5957->5959 5958 6009f9f3 abort free 5958->5960 5961 6009f9d2 fputc 5959->5961 5960->5958 5962 6009fa35 5960->5962 5961->5960 5967 6009dd6e 5963->5967 5964 5fffbac0 31 API calls 5964->5967 5965 5fffbb90 31 API calls 5965->5967 5966 6009f907 5968 6009f92f abort 5966->5968 5967->5964 5967->5965 5967->5966 5969 6009dce0 5968->5969 5970 6009f93d abort 5969->5970 5972 6009f944 5970->5972 5971 6009f9e7 5974 6009f9f3 abort free 5971->5974 5977 6009fa35 5971->5977 5972->5971 5973 6009f994 fwrite 5972->5973 5975 6009f9bd fputs 5973->5975 5974->5971 5976 6009f9d2 fputc 5975->5976 5976->5971 5979 5fffbd4d 5978->5979 5980 5fffbda0 5978->5980 5981 6009f810 abort 5979->5981 5984 5fffbd5a 5979->5984 5980->5906 5982 6009f818 abort 5981->5982 5983 6009f820 5982->5983 5985 6009f82c abort 5983->5985 5986 6009f831 5983->5986 5984->5906 5984->5984 5985->5986 5987 6009f844 abort 5986->5987 5991 6009f849 5986->5991 5987->5991 5988 5fffbac0 20 API calls 5988->5991 5989 5fffbb90 20 API calls 5989->5991 5990 6009f907 5992 6009f92f abort 5990->5992 5991->5988 5991->5989 5991->5990 5993 6009dce0 5992->5993 5994 6009f93d abort 5993->5994 5995 6009f944 5994->5995 5996 6009f994 fwrite 5995->5996 6000 6009f9e7 5995->6000 5998 6009f9bd fputs 5996->5998 5997 6009f9f3 abort free 5997->6000 5999 6009f9d2 fputc 5998->5999 5999->6000 6000->5997 6001 6009fa35 6000->6001 6003 5fffba72 6002->6003 6004 5fffbc80 31 API calls 6003->6004 6006 5fffbab3 6003->6006 6005 5fffbb6c 6004->6005 6007 5fffbd40 31 API calls 6005->6007 6006->5906 6006->6006 6007->6006 6010 5fffbbb8 6008->6010 6009 5fffbd40 21 API calls 6009->6010 6010->6009 6011 5fffbc68 6010->6011 6012 5fffba50 21 API calls 6010->6012 6014 5fffbc2a 6010->6014 6013 6009f82c abort 6011->6013 6015 6009f831 6011->6015 6012->6010 6013->6015 6014->5906 6017 6009f818 abort 6014->6017 6018 5fffbc36 6014->6018 6016 6009f844 abort 6015->6016 6020 6009f849 6015->6020 6016->6020 6017->6011 6018->5906 6019 5fffbac0 21 API calls 6019->6020 6020->6019 6021 5fffbb90 21 API calls 6020->6021 6023 6009f907 6020->6023 6021->6020 6022 6009f92f abort 6024 6009dce0 6022->6024 6023->6022 6025 6009f93d abort 6024->6025 6026 6009f944 6025->6026 6027 6009f994 fwrite 6026->6027 6031 6009f9e7 6026->6031 6029 6009f9bd fputs 6027->6029 6028 6009f9f3 abort free 6028->6031 6030 6009f9d2 fputc 6029->6030 6030->6031 6031->6028 6032 6009fa35 6031->6032 6194 60092320 6195 600923b2 6194->6195 6197 60092330 6194->6197 6196 6009dbf0 6 API calls 6195->6196 6196->6197 6033 5fff6b90 6049 5fff6850 6033->6049 6035 5fff6ba6 GetCurrentThreadId CreateEventA 6037 5fff6b9c 6035->6037 6036 5fff6ca3 6037->6035 6037->6036 6038 5fff6bfc GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 6037->6038 6044 5fff6cad 6037->6044 6040 600a242a abort GetModuleHandleA 6038->6040 6041 5fff6c60 GetThreadPriority TlsSetValue 6038->6041 6042 600a24a9 6040->6042 6043 600a2479 GetProcAddress GetProcAddress 6040->6043 6041->6036 6041->6040 6043->6042 6061 5fff66e0 GetCurrentThreadId 6044->6061 6072 5fff6ad0 6044->6072 6046 5fff6cc8 TlsGetValue 6047 5fff6cdd 6046->6047 6048 5fff6ce8 6046->6048 6048->6033 6050 5fff6861 6049->6050 6051 5fff686b 6050->6051 6052 5fff68b8 calloc 6050->6052 6087 5fff6570 6051->6087 6054 5fff6872 6052->6054 6055 5fff68d2 6052->6055 6095 5ff4f7e0 6054->6095 6057 5fff6570 3 API calls 6055->6057 6059 5fff68d7 6057->6059 6059->6054 6060 5fff68f8 free 6059->6060 6060->6054 6107 5fffa980 6061->6107 6064 5fff6773 6065 5fff67a1 6064->6065 6066 5fff67f0 fprintf 6064->6066 6068 5fff67a7 6065->6068 6110 5ff4f980 6065->6110 6066->6068 6068->6044 6073 5fff6add 6072->6073 6074 5fff6b88 6072->6074 6118 5fff64c0 6073->6118 6074->6046 6076 5fff6aed 6077 5fff6b04 TlsAlloc 6076->6077 6078 5fff6b18 6076->6078 6077->6078 6079 600a2425 abort 6077->6079 6081 5ff4f7e0 4 API calls 6078->6081 6084 5fff6b52 fprintf 6078->6084 6086 5fff6b7a 6078->6086 6080 600a242a abort GetModuleHandleA 6079->6080 6082 600a24a9 6080->6082 6083 600a2479 GetProcAddress GetProcAddress 6080->6083 6081->6078 6082->6046 6083->6082 6085 5ff4f7e0 4 API calls 6084->6085 6085->6078 6086->6046 6088 5fff657f 6087->6088 6089 5fff66a8 6087->6089 6090 5fff659e malloc 6088->6090 6091 5fff6670 realloc 6088->6091 6093 5fff65b4 6088->6093 6089->6054 6090->6089 6090->6093 6091->6089 6091->6093 6092 5fff6622 6092->6054 6093->6092 6094 5fff6642 memmove 6093->6094 6094->6092 6096 5ff4f810 6095->6096 6097 5ff4f7f2 6095->6097 6103 5ff4f440 malloc 6096->6103 6098 5ff4f806 6097->6098 6101 5ff4f853 GetCurrentThreadId 6097->6101 6102 5ff4f7fd 6097->6102 6098->6037 6100 5ff4f828 SetEvent 6100->6098 6101->6098 6101->6102 6102->6098 6102->6100 6104 5ff4f49d 6103->6104 6105 5ff4f45b 6103->6105 6104->6097 6105->6104 6106 5ff4f493 free 6105->6106 6106->6104 6115 5ffeb640 6107->6115 6111 5ff4f9b4 free 6110->6111 6112 5ff4f993 6110->6112 6111->6068 6113 5ff4f9a6 free 6112->6113 6114 5ff4f99a CloseHandle 6112->6114 6113->6111 6114->6113 6116 5ffeb670 _vsnprintf 6115->6116 6117 5ffeb65b OutputDebugStringA abort 6115->6117 6116->6117 6117->6064 6119 5fff64d3 6118->6119 6120 5fff64dd calloc 6119->6120 6123 5fff64e0 6119->6123 6124 5fff64ed 6120->6124 6122 5fff6508 calloc 6122->6124 6123->6122 6123->6124 6124->6076 6940 5fff4390 GetModuleHandleW 6941 5fff43b1 GetProcAddress 6940->6941 6942 5fff43c9 6940->6942 6941->6942 6198 5fc33670 6200 5fc3367f 6198->6200 6199 5fc33690 6200->6199 6201 5fc35ba6 6200->6201 6202 5fc35bc7 6200->6202 6203 5ff4f7e0 4 API calls 6201->6203 6205 5ff4f7e0 4 API calls 6202->6205 6204 5fc35bbb 6203->6204 6207 6009ef3a 6205->6207 6206 5ff4f7e0 4 API calls 6206->6207 6207->6206 6943 5fc31bb0 6945 5fc31bbf 6943->6945 6944 5fc31bd0 6945->6944 6946 5ff4f7e0 4 API calls 6945->6946 6947 6009ee58 6946->6947 6948 5fc33d30 6950 5fc33d68 6948->6950 6949 5fc33dfd 6951 5fc33f1a memcpy 6949->6951 6955 5fc33f6c memcpy 6949->6955 6950->6949 6952 6009dbf0 6 API calls 6950->6952 6951->6949 6953 5fc33dba 6952->6953 6953->6949 6954 5fc33dcc memcpy 6953->6954 6954->6949 6955->6949 6956 5fc31cb0 6957 5fc31cbf 6956->6957 6958 5fc31ce1 6957->6958 6960 5fc359f0 6957->6960 6961 5fc35a65 6960->6961 6962 5fc35a0e 6960->6962 6961->6958 6964 5fc35a23 6962->6964 6965 5fc35aaf 6962->6965 6963 5ff4f7e0 4 API calls 6963->6961 6969 5fc35a50 6964->6969 6977 5fc4bfe0 6964->6977 6967 5ff4f7e0 4 API calls 6965->6967 6968 6009ef1a 6967->6968 6972 5ff4f7e0 4 API calls 6968->6972 6969->6963 6970 5fc35a4a 6970->6969 6971 5fc4f8b0 18 API calls 6970->6971 6971->6969 6973 6009ef2a 6972->6973 6974 5ff4f7e0 4 API calls 6973->6974 6976 6009ef3a 6974->6976 6975 5ff4f7e0 4 API calls 6975->6976 6976->6975 6978 5fc4c125 6977->6978 6979 5fc4bff5 6977->6979 6981 5fd2bfc0 10 API calls 6978->6981 6980 5fc4c046 6979->6980 6982 5fc4c16c 6979->6982 6986 5fc4c00f 6979->6986 6980->6970 6983 5fc4c146 6981->6983 6988 5fd2bfc0 10 API calls 6982->6988 6985 5fd2c340 10 API calls 6983->6985 6984 5fc4c083 6984->6970 6985->6980 6986->6984 6987 5fc4c0e0 6986->6987 6992 5fc4c02d 6986->6992 6991 5fd2bfc0 10 API calls 6987->6991 6989 5fc4c18d 6988->6989 6990 5fd2c340 10 API calls 6989->6990 6990->6980 6993 5fc4c101 6991->6993 6992->6980 6995 5fce02e0 3 API calls 6992->6995 6994 5fd2c340 10 API calls 6993->6994 6996 5fc4c11d 6994->6996 6997 5fc4c095 6995->6997 6996->6970 6997->6980 6998 5fc473d0 28 API calls 6997->6998 6998->6980 6999 5fc324b0 7000 5fc32500 6999->7000 7001 5fc326fb memcpy 7000->7001 7001->7000 6163 5fd95740 6164 5fd95759 6163->6164 6172 5fd957b6 6164->6172 6175 5fd74e60 EnterCriticalSection 6164->6175 6166 5fd95773 6166->6172 6176 5fd74ea0 LeaveCriticalSection 6166->6176 6168 5fd9578a 6168->6172 6177 5fd74e80 EnterCriticalSection 6168->6177 6170 5fd957a9 6178 5fd74ea0 LeaveCriticalSection 6170->6178 6173 5fd9579b 6173->6170 6173->6172 6179 5fd251d0 6173->6179 6175->6166 6176->6168 6177->6173 6178->6172 6180 5fd251e2 6179->6180 6188 5fd251f5 6179->6188 6189 5fd74e80 EnterCriticalSection 6180->6189 6182 5fd251ef 6182->6188 6190 5fd74ea0 LeaveCriticalSection 6182->6190 6184 5fd2521f 6185 5fd2bfc0 10 API calls 6184->6185 6184->6188 6186 5fd25244 6185->6186 6187 5fd2c340 10 API calls 6186->6187 6187->6188 6188->6170 6189->6182 6190->6184 6208 5fff9640 6209 5fff966a 6208->6209 6210 5fff9852 _errno 6208->6210 6211 5fff9818 GetCurrentProcess GetProcessTimes 6209->6211 6212 5fff9678 GetCurrentThread GetThreadTimes 6209->6212 6213 5fff9750 QueryPerformanceFrequency 6209->6213 6214 5fff9710 GetSystemTimeAsFileTime 6209->6214 6217 5fff96b2 6209->6217 6211->6210 6211->6217 6212->6210 6212->6217 6213->6210 6215 5fff9768 QueryPerformanceCounter 6213->6215 6214->6217 6215->6210 6215->6217 6216 5fff9702 6217->6216 6218 5fff989a 6217->6218 6219 5fff9957 _errno 6217->6219 6220 5fff9938 6218->6220 6231 5fff98a2 6218->6231 6223 5fff990b 6219->6223 6222 5fff9944 6220->6222 6220->6223 6221 5fff9917 6224 5fff9be2 _errno 6222->6224 6227 5fff9a7a 6222->6227 6223->6221 6225 5fff9991 FileTimeToSystemTime 6223->6225 6226 5fff9a10 _errno 6223->6226 6237 5fff9bb3 6224->6237 6225->6226 6228 5fff99e5 SetSystemTime 6225->6228 6235 5fff99f5 6226->6235 6229 5fff9a82 GetSystemTimeAsFileTime 6227->6229 6232 5fff9aa3 6227->6232 6230 5fff9a23 _errno 6228->6230 6228->6235 6229->6232 6230->6235 6241 5fff9a40 6231->6241 6236 5fff9b15 6232->6236 6232->6237 6253 5fff8010 6232->6253 6236->6237 6238 5fff9ba7 _errno 6236->6238 6239 5fff9b21 GetSystemTimeAsFileTime 6236->6239 6238->6237 6240 5fff9b5d 6239->6240 6240->6238 6242 5fff9a6b 6241->6242 6243 5fff9be2 _errno 6241->6243 6242->6243 6244 5fff9a7a 6242->6244 6249 5fff9bb3 6243->6249 6245 5fff9a82 GetSystemTimeAsFileTime 6244->6245 6247 5fff9aa3 6244->6247 6245->6247 6246 5fff8010 103 API calls 6246->6247 6247->6246 6248 5fff9b15 6247->6248 6247->6249 6248->6249 6250 5fff9ba7 _errno 6248->6250 6251 5fff9b21 GetSystemTimeAsFileTime 6248->6251 6249->6223 6250->6249 6252 5fff9b5d 6251->6252 6252->6250 6254 5fff6ad0 13 API calls 6253->6254 6255 5fff801e TlsGetValue 6254->6255 6256 5fff8088 6255->6256 6257 5fff8035 6255->6257 6317 5fff6b90 6256->6317 6259 5fff8039 6257->6259 6260 5fff8060 6257->6260 6271 5fff7e30 6259->6271 6262 5fff7e30 100 API calls 6260->6262 6264 5fff8065 Sleep 6262->6264 6263 5fff803e 6265 5fff8098 Sleep 6263->6265 6266 5fff8045 6263->6266 6267 5fff7e30 100 API calls 6264->6267 6265->6266 6269 5fff7e30 100 API calls 6266->6269 6268 5fff807a 6267->6268 6268->6232 6270 5fff8056 6269->6270 6270->6232 6272 5fff6ad0 13 API calls 6271->6272 6273 5fff7e3a TlsGetValue 6272->6273 6274 5fff7ea0 6273->6274 6278 5fff7e51 6273->6278 6276 5fff6b90 39 API calls 6274->6276 6275 5fff7e60 6275->6263 6276->6278 6277 5fff7e92 6279 5ff4f7e0 4 API calls 6277->6279 6278->6275 6278->6277 6280 5fff7eb1 6278->6280 6281 5fff7e9a 6279->6281 6282 5fff7ec7 ResetEvent 6280->6282 6283 5fff7ed1 6280->6283 6281->6263 6282->6283 6284 5ff4f7e0 4 API calls 6283->6284 6285 5fff7ed9 6284->6285 6333 5fff7d40 6285->6333 6318 5fff6850 9 API calls 6317->6318 6321 5fff6b9c 6318->6321 6319 5fff6ba6 GetCurrentThreadId CreateEventA 6319->6321 6320 5fff6ca3 6320->6257 6321->6319 6321->6320 6322 5fff6bfc GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 6321->6322 6328 5fff6cad 6321->6328 6324 600a242a abort GetModuleHandleA 6322->6324 6325 5fff6c60 GetThreadPriority TlsSetValue 6322->6325 6323 5fff66e0 8 API calls 6323->6328 6326 600a24a9 6324->6326 6327 600a2479 GetProcAddress GetProcAddress 6324->6327 6325->6320 6325->6324 6326->6257 6327->6326 6328->6323 6329 5fff6ad0 13 API calls 6328->6329 6330 5fff6cc8 TlsGetValue 6329->6330 6331 5fff6cdd 6330->6331 6332 5fff6ce8 6330->6332 6331->6257 6332->6317 6334 5fff7d49 6333->6334 6396 5fff7cf0 6334->6396 6337 5fff7cf0 40 API calls 6338 5fff7d93 6337->6338 6402 5fff7bb0 6338->6402 6397 5fff6ad0 13 API calls 6396->6397 6398 5fff7cf8 TlsGetValue 6397->6398 6399 5fff7d0d 6398->6399 6400 5fff7d30 6398->6400 6399->6337 6401 5fff6b90 39 API calls 6400->6401 6401->6399 6403 5fff7bbe 6402->6403 6404 5fff7bd2 6403->6404 6417 5fff6cf0 6403->6417 6406 5fff7bec TlsGetValue 6404->6406 6407 5fff7bd8 longjmp 6404->6407 6408 5fff7c2d _endthreadex 6406->6408 6409 5fff7c01 6406->6409 6407->6406 6412 5fff7c36 CloseHandle 6408->6412 6410 5fff7c6d 6409->6410 6411 5fff7c0a 6409->6411 6413 5fff7c77 CloseHandle 6410->6413 6415 5fff7c22 6410->6415 6414 5fff7c18 CloseHandle 6411->6414 6411->6415 6412->6415 6413->6415 6414->6415 6415->6408 6415->6412 6416 5fff7c55 TlsSetValue 6415->6416 6416->6408 6418 5fff6e10 6417->6418 6419 5fff6cf8 6417->6419 6418->6404 6420 5ff4f7e0 4 API calls 6419->6420 6424 5fff6d22 6420->6424 6421 5fff6df1 6421->6404 6424->6421 6425 5fffa1f0 6424->6425 6432 5fffa500 6424->6432 6441 5fffa010 6425->6441 6427 5fffa206 6427->6424 6428 5fffa202 6428->6427 6429 5ff4f7e0 4 API calls 6428->6429 6430 5fffa237 6428->6430 6429->6430 6431 5ff4f7e0 malloc free SetEvent GetCurrentThreadId 6430->6431 6431->6430 6433 5fffa511 6432->6433 6434 5fffa580 6433->6434 6435 5ff4f7e0 4 API calls 6433->6435 6439 5fffa53b 6433->6439 6434->6424 6436 5fffa531 6435->6436 6437 5ff4f7e0 4 API calls 6436->6437 6437->6439 6440 5ff4f7e0 malloc free SetEvent GetCurrentThreadId 6439->6440 6479 5fff5b50 6439->6479 6440->6439 6442 5fffa060 6441->6442 6444 5fffa01e 6441->6444 6445 5fff9fb0 6442->6445 6444->6428 6446 5fff9fc2 6445->6446 6448 5fff9ff0 6446->6448 6450 5fff9e70 6446->6450 6448->6444 6449 5fff9fd7 6449->6444 6451 5fff9f68 6450->6451 6452 5fff9e83 calloc 6450->6452 6451->6449 6453 5fff9ea7 6452->6453 6462 5fff9f09 6452->6462 6454 5fff9ed9 6453->6454 6455 5fff9f20 free 6453->6455 6456 5fff9f40 6454->6456 6457 5fff9ef0 6454->6457 6455->6449 6459 5ff4f980 2 API calls 6456->6459 6467 5fff54a0 6457->6467 6461 5fff9f4c free 6459->6461 6460 5fff9f03 6460->6462 6463 5ff4f980 2 API calls 6460->6463 6461->6449 6462->6449 6464 5fff9f8c 6463->6464 6465 5ff4f980 2 API calls 6464->6465 6466 5fff9f94 free 6465->6466 6466->6462 6468 5fff54c1 6467->6468 6469 5fff55f0 6467->6469 6470 5fff54ce calloc 6468->6470 6471 5fff5598 6468->6471 6469->6460 6470->6471 6472 5fff54ec CreateSemaphoreA CreateSemaphoreA 6470->6472 6471->6460 6473 5fff55b7 6472->6473 6474 5fff5555 6472->6474 6477 5fff55bb CloseHandle 6473->6477 6478 5fff55c7 free 6473->6478 6475 5fff5559 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 6474->6475 6476 5fff55a8 CloseHandle 6474->6476 6475->6471 6476->6473 6477->6478 6478->6460 6480 5fff5b61 6479->6480 6481 5fff5b81 6479->6481 6480->6481 6482 5fff5b90 EnterCriticalSection 6480->6482 6481->6439 6483 5fff5ba6 6482->6483 6484 5fff5bd9 6482->6484 6485 5fff5c50 LeaveCriticalSection 6483->6485 6490 5fff5900 EnterCriticalSection LeaveCriticalSection 6483->6490 6484->6485 6486 5fff5c1d LeaveCriticalSection 6484->6486 6485->6481 6486->6485 6488 5fff5bd1 6488->6484 6489 5fff5c68 LeaveCriticalSection 6488->6489 6489->6481 6491 5fff5958 6490->6491 6492 5fff5945 6490->6492 6497 5fff5620 6491->6497 6492->6488 6494 5fff5974 EnterCriticalSection 6495 5fff5998 6494->6495 6496 5fff5982 LeaveCriticalSection 6494->6496 6495->6496 6496->6488 6498 5fff5645 6497->6498 6516 5fff5850 6497->6516 6538 5fff7ac0 6498->6538 6501 5fff5898 WaitForSingleObject 6531 5fff5700 6501->6531 6502 5fff5710 6508 5fff571a 6502->6508 6512 5fff5760 6502->6512 6503 5fff57b9 6503->6494 6505 5fff5743 6515 5fff5752 6505->6515 6518 5fff7c90 40 API calls 6505->6518 6505->6531 6506 5fff5820 6509 5fff7c90 40 API calls 6506->6509 6507 5fff56c0 6507->6516 6517 5fff56d0 WaitForSingleObject 6507->6517 6508->6505 6522 5fff57f8 WaitForSingleObject 6508->6522 6530 5fff7c90 40 API calls 6508->6530 6508->6531 6514 5fff5825 6509->6514 6510 5fff5900 EnterCriticalSection LeaveCriticalSection 6520 5fff5958 6510->6520 6521 5fff5945 6510->6521 6511 5fff578f 6526 5fff7c90 40 API calls 6511->6526 6511->6531 6512->6506 6512->6511 6519 5fff7c90 40 API calls 6512->6519 6524 5fff579c 6512->6524 6513 5fff565a 6513->6507 6513->6515 6513->6516 6527 5fff5698 ResetEvent 6513->6527 6513->6531 6533 5fff7e30 91 API calls 6513->6533 6544 5ff4fe90 6513->6544 6523 5fff582d WaitForSingleObject 6514->6523 6514->6524 6525 5fff7e30 91 API calls 6515->6525 6515->6531 6516->6501 6516->6531 6528 5fff56f0 6517->6528 6517->6531 6518->6515 6519->6512 6529 5fff5620 91 API calls 6520->6529 6521->6494 6522->6515 6522->6531 6523->6531 6524->6531 6534 5fff7e30 91 API calls 6524->6534 6525->6531 6526->6524 6527->6513 6527->6524 6528->6531 6552 5fff7c90 6528->6552 6532 5fff5974 EnterCriticalSection 6529->6532 6530->6508 6531->6503 6531->6510 6536 5fff5998 6532->6536 6537 5fff5982 LeaveCriticalSection 6532->6537 6533->6513 6534->6531 6536->6537 6537->6494 6539 5fff6ad0 13 API calls 6538->6539 6540 5fff7ac8 TlsGetValue 6539->6540 6541 5fff564e 6540->6541 6542 5fff7ae8 6540->6542 6541->6502 6541->6513 6543 5fff6b90 39 API calls 6542->6543 6543->6541 6545 5ff4ff60 WaitForMultipleObjects 6544->6545 6546 5ff4fec6 6544->6546 6551 5ff4ff2d 6545->6551 6547 5ff4fb30 QueryPerformanceCounter GetTickCount QueryPerformanceFrequency GetSystemTimeAsFileTime 6546->6547 6550 5ff4fecf 6546->6550 6547->6550 6548 5ff4feec WaitForMultipleObjects 6548->6550 6548->6551 6549 5ff4fb30 QueryPerformanceCounter GetTickCount QueryPerformanceFrequency GetSystemTimeAsFileTime 6549->6550 6550->6548 6550->6549 6550->6551 6551->6513 6553 5fff7c99 6552->6553 6554 5fff7ca0 6552->6554 6553->6531 6555 5fff6ad0 13 API calls 6554->6555 6556 5fff7ca8 TlsGetValue 6555->6556 6557 5fff7ce0 6556->6557 6559 5fff7cbd 6556->6559 6558 5fff6b90 39 API calls 6557->6558 6558->6559 6559->6531

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 5FFF6B90 Relevance: 19.6, APIs: 13, Instructions: 128threadlibraryloaderCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 5FFF6BAD
                                                                                                                                                                                                                        • CreateEventA.KERNEL32 ref: 5FFF6BD5
                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 5FFF6C17
                                                                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 5FFF6C1B
                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 5FFF6C23
                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE ref: 5FFF6C4F
                                                                                                                                                                                                                        • GetThreadPriority.KERNEL32 ref: 5FFF6C66
                                                                                                                                                                                                                        • TlsSetValue.KERNEL32 ref: 5FFF6C92
                                                                                                                                                                                                                        • TlsGetValue.KERNEL32 ref: 5FFF6CD0
                                                                                                                                                                                                                        • abort.MSVCRT(?,?,?,431BDE83,5FFF9B07), ref: 600A242A
                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,431BDE83,5FFF9B07), ref: 600A246C
                                                                                                                                                                                                                        • GetProcAddress.KERNEL32 ref: 600A248C
                                                                                                                                                                                                                        • GetProcAddress.KERNEL32 ref: 600A24A0
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Current$Thread$AddressHandleProcProcessValue$CreateDuplicateEventModulePriorityabort
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1214264455-0
                                                                                                                                                                                                                        • Opcode ID: eed263bcffcf603b348ed6e7d36ec53c1885d35bf7608f7aded1f0ddc6ae427f
                                                                                                                                                                                                                        • Instruction ID: 7a14a4b59bc2894bb144a9c080ff3c683cb04df854c5572ea3da19dfa70fac8f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eed263bcffcf603b348ed6e7d36ec53c1885d35bf7608f7aded1f0ddc6ae427f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58411AB18153008FDB00AF79D98936ABFF4FF45314F00866DE88497266E7B9D454CB92
                                                                                                                                                                                                                        Function 5FFE8BA0 Relevance: 24.1, APIs: 16, Instructions: 67COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: abort
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 4206212132-0
                                                                                                                                                                                                                        • Opcode ID: 48a6b962c79ad736dfd95aff3798e85babf97129c6d4264baa583080730b197b
                                                                                                                                                                                                                        • Instruction ID: fa21f702ee0785723a9ecd3622445400cd93bcabd3c61d91a949977216c58f2b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48a6b962c79ad736dfd95aff3798e85babf97129c6d4264baa583080730b197b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA0196F19153468FD700EFB9C49572A7FE47F52300F890856D8809BB62D738D988D7A2
                                                                                                                                                                                                                        Function 5FFF4970 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: _lock_unlockcalloc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3876498383-0
                                                                                                                                                                                                                        • Opcode ID: ab375ab5a348395aa2b1c41066fd2d73b620529a5e0c5ab71e7ee1146ade8483
                                                                                                                                                                                                                        • Instruction ID: 88931d2cc509c63ea0f6b0b42023c23751b180953b7cb40b1d3b3f000900328c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab375ab5a348395aa2b1c41066fd2d73b620529a5e0c5ab71e7ee1146ade8483
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64115EB16052118FDB50DF68C58075ABBE4FF88210F1986AAD898CF795EB74D840CBA2
                                                                                                                                                                                                                        Function 5FD612F0 Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 44 5fd612f0-5fd6130c 45 5fd61332-5fd61334 44->45 46 5fd6130e-5fd6131d 44->46 47 5fd61336-5fd6133d 45->47 48 5fd61329 45->48 49 5fd6132b-5fd61331 46->49 55 5fd6131f-5fd61321 46->55 50 5fd6133f 47->50 51 5fd61349-5fd61353 malloc 47->51 48->49 50->51 53 5fd61355-5fd6135b 51->53 54 5fd61323-5fd61327 51->54 54->48 56 5fd61360-5fd61397 call 5fd2beb0 call 5fd2bfc0 call 5fd2c340 54->56 55->49 55->54 56->49
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: malloc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2803490479-0
                                                                                                                                                                                                                        • Opcode ID: c5867198dcf9d073290aeebe08f7977020d2962c7d55e0156b73189909da6f16
                                                                                                                                                                                                                        • Instruction ID: 7ffc36f6165f55670b666bed1a144f644ff91c92891282ed7f1f98db5c8965d5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5867198dcf9d073290aeebe08f7977020d2962c7d55e0156b73189909da6f16
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F1161B12093019BDB80BF69D98066FBFE4AF84B58F404D1EE4C9CB652D774E4408BD2

                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                        Function 5FFF6AD0 Relevance: 10.6, APIs: 7, Instructions: 93libraryloadermemoryCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 700 5fff6ad0-5fff6ad7 701 5fff6add-5fff6b02 call 5fff64c0 call 5ff4f4b0 700->701 702 5fff6b88 700->702 707 5fff6b04-5fff6b12 TlsAlloc 701->707 708 5fff6b40-5fff6b43 701->708 709 5fff6b18 707->709 710 600a2425-600a2477 abort * 2 GetModuleHandleA 707->710 711 5fff6b45-5fff6b78 fprintf call 5ff4f7e0 708->711 712 5fff6b22-5fff6b2c call 5ff4f7e0 708->712 709->712 715 600a24a9-600a24ae 710->715 716 600a2479-600a24a8 GetProcAddress * 2 710->716 720 5fff6b2e-5fff6b35 711->720 721 5fff6b7a-5fff6b80 711->721 712->720 712->721 716->715 720->708
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 5FFF64C0: calloc.MSVCRT ref: 5FFF654E
                                                                                                                                                                                                                        • TlsAlloc.KERNEL32(?,?,00000000,5FFF801E,?,?,?,431BDE83,5FFF9B07), ref: 5FFF6B04
                                                                                                                                                                                                                        • fprintf.MSVCRT ref: 5FFF6B69
                                                                                                                                                                                                                        • abort.MSVCRT(?,?,?,431BDE83,5FFF9B07), ref: 600A2425
                                                                                                                                                                                                                        • abort.MSVCRT(?,?,?,431BDE83,5FFF9B07), ref: 600A242A
                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,431BDE83,5FFF9B07), ref: 600A246C
                                                                                                                                                                                                                        • GetProcAddress.KERNEL32 ref: 600A248C
                                                                                                                                                                                                                        • GetProcAddress.KERNEL32 ref: 600A24A0
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AddressProcabort$AllocHandleModulecallocfprintf
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2703921052-0
                                                                                                                                                                                                                        • Opcode ID: 69d00d08606af822ef26000beceb18d22f811bb46117775cb4a03793b004624d
                                                                                                                                                                                                                        • Instruction ID: 0df4474d9d31aab45def323963c4d699aae743b07e8dd9f7d5ff8da707a69315
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69d00d08606af822ef26000beceb18d22f811bb46117775cb4a03793b004624d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6317CB29253009FDB00AF68D88936ABFE4FF55214F05452EE588E7371DBB59440CB92
                                                                                                                                                                                                                        Function 5FC345A0 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: memcpy$malloc
                                                                                                                                                                                                                        • String ID: (`
                                                                                                                                                                                                                        • API String ID: 962570267-3480472747
                                                                                                                                                                                                                        • Opcode ID: 0378db273d80f09f69880694f6c11813800ebd8fd1acc1395f3417ca60553f43
                                                                                                                                                                                                                        • Instruction ID: 7d78f9cb8055bc4bb5729689fb738e2cb4e271a0d4b909822f3f131b52d550e7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0378db273d80f09f69880694f6c11813800ebd8fd1acc1395f3417ca60553f43
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36613DB19097818ED340DF68C58035FBFE0BFE6348F114A6EE4C4A7262E7B59584DB92
                                                                                                                                                                                                                        Function 5FC33D30 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3510742995-0
                                                                                                                                                                                                                        • Opcode ID: ca802f03bfa68888f8359a9990aef875cd53c326e60076e970967c8f7cfa5c67
                                                                                                                                                                                                                        • Instruction ID: 9c39a18c0730e5cdb2da9b8b1286974b5a999fa66db4398415aec1d703ebabbe
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca802f03bfa68888f8359a9990aef875cd53c326e60076e970967c8f7cfa5c67
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B451DFB4D543589FCB04DFA9C480ADEBBF4BF89344F10852EE844AB395E774A845CB91
                                                                                                                                                                                                                        Function 5FC342D0 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3510742995-0
                                                                                                                                                                                                                        • Opcode ID: d9be2dce889c820a21046f333fe25b32e2d89f6ada6bc510bb6d89bfef96a538
                                                                                                                                                                                                                        • Instruction ID: b23198aa7ced68edeb3eb1d46587fe985c109be459800d9d7f86314c2902c7cb
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9be2dce889c820a21046f333fe25b32e2d89f6ada6bc510bb6d89bfef96a538
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D351D0B4D153589FCB00DFA9C480ACEBBF4BF89344F11856EE844AB399E774A845CB91
                                                                                                                                                                                                                        Function 5FC34000 Relevance: 3.9, APIs: 3, Instructions: 121COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3510742995-0
                                                                                                                                                                                                                        • Opcode ID: 2d76632ee9c5477d69948677a5822199bbe7f8ddfcf921de88a7a9e01587faba
                                                                                                                                                                                                                        • Instruction ID: 1be26a4be4452bbc27358c7b8d678638e5557b292b0b5b0e46592b6ac9207b5c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d76632ee9c5477d69948677a5822199bbe7f8ddfcf921de88a7a9e01587faba
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC51DFB4D143589FCB00DFA9C880ACEBBF4BF89344F11856EE844AB395D775A849CB91
                                                                                                                                                                                                                        Function 5FC33AE0 Relevance: 1.3, APIs: 1, Instructions: 72COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 2cc72ea6f1c14dfa902ebf7a507373ce5dca28c9880e00ec4599b0a8fdd5d75c
                                                                                                                                                                                                                        • Instruction ID: 19328ac630b178432173e1841aae5311330db6e6b3408e465a25e6c4d945fca5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2cc72ea6f1c14dfa902ebf7a507373ce5dca28c9880e00ec4599b0a8fdd5d75c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C531D1B09083409FC3509F29C48034BBBE5BBC9798F504A2DF9989B260D774A9458B92
                                                                                                                                                                                                                        Function 5FC33760 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 26b14e1bc13f48eece9efdb52935c3adbedb779fd751b4c2db2af895439a1b13
                                                                                                                                                                                                                        • Instruction ID: ae330e319ee5587d6256d91570500ab74add99f3fbc6e113b54e896253f05db4
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26b14e1bc13f48eece9efdb52935c3adbedb779fd751b4c2db2af895439a1b13
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2931D2B06097818FC700AFA9C58431FBBE2BFD5244F119C2DA5C08B255DB78D849CB92
                                                                                                                                                                                                                        Function 5FC338C0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: fde55884ab3512234ebd07cee1cbba1e9557f3ca6fb90b0089b7a65ce89106ee
                                                                                                                                                                                                                        • Instruction ID: 468e80eea538aa33929c66421f826567b54d87d4d4b4f042066fe8160328c7f2
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fde55884ab3512234ebd07cee1cbba1e9557f3ca6fb90b0089b7a65ce89106ee
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3431E2B0A097818FC700AFA9C98431FBAE1BFD5244F119C2EE5C08B355DB78D849CB92
                                                                                                                                                                                                                        Function 5FFFBEB0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 04fd1a9125bfd2236fb9ddb1cebcd5043b5ddcdea5d6fb7ae223072e2b11908c
                                                                                                                                                                                                                        • Instruction ID: 7a28bb3c19099943a6eb86a699ad70260470d30c4f3065664d8d3081c6443532
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04fd1a9125bfd2236fb9ddb1cebcd5043b5ddcdea5d6fb7ae223072e2b11908c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FFC012B0C082408AC200BF38860A228FAB06B62208F842CACE48013202E739C018A69B
                                                                                                                                                                                                                        Function 5FFF9640 Relevance: 19.8, APIs: 13, Instructions: 272timethreadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 63 5fff9640-5fff9664 64 5fff966a 63->64 65 5fff9852-5fff9863 _errno 63->65 66 5fff9738-5fff9745 64->66 67 5fff9818-5fff984c GetCurrentProcess GetProcessTimes 64->67 68 5fff9678-5fff96ac GetCurrentThread GetThreadTimes 64->68 69 5fff9750-5fff9762 QueryPerformanceFrequency 64->69 70 5fff9710-5fff9717 GetSystemTimeAsFileTime 64->70 73 5fff971d-5fff9733 66->73 67->65 72 5fff96b2-5fff96be 67->72 68->65 68->72 69->65 71 5fff9768-5fff977a QueryPerformanceCounter 69->71 70->73 71->65 76 5fff9780-5fff97fb call 5ffe5ae0 call 5ffe5800 71->76 74 5fff96c2-5fff96ed call 5ffe5f60 72->74 73->74 82 5fff96f0-5fff96fc 74->82 76->82 86 5fff9801-5fff980e 76->86 84 5fff9868-5fff9894 call 5ffeb380 82->84 85 5fff9702-5fff9709 82->85 89 5fff989a-5fff989c 84->89 90 5fff9957-5fff9968 _errno 84->90 86->82 91 5fff9938-5fff9942 89->91 92 5fff98a2-5fff98f9 call 5ffe5f60 89->92 93 5fff990b-5fff9915 90->93 94 5fff996a-5fff998b call 5ffeb380 91->94 96 5fff9944-5fff9a65 91->96 111 5fff98fb 92->111 112 5fff9920-5fff9930 92->112 93->94 95 5fff9917-5fff991d 93->95 104 5fff9991-5fff99e3 FileTimeToSystemTime 94->104 105 5fff9a10-5fff9a16 _errno 94->105 102 5fff9a6b-5fff9a74 96->102 103 5fff9be2-5fff9bee _errno 96->103 102->103 108 5fff9a7a-5fff9a80 102->108 107 5fff9bb3-5fff9bb8 103->107 104->105 110 5fff99e5-5fff99f3 SetSystemTime 104->110 113 5fff9a1c-5fff9a21 105->113 109 5fff9bce-5fff9bd8 107->109 114 5fff9aa3-5fff9ad2 108->114 115 5fff9a82-5fff9aa0 GetSystemTimeAsFileTime 108->115 118 5fff9bda-5fff9be1 109->118 119 5fff9bf6-5fff9c1e call 5ffeb380 call 5fff63d0 109->119 120 5fff99f5-5fff99ff 110->120 121 5fff9a23-5fff9a2f _errno 110->121 122 5fff98ff-5fff9906 call 5fff9a40 111->122 112->122 113->120 116 5fff9bcc 114->116 117 5fff9ad8-5fff9adc 114->117 115->114 116->109 123 5fff9ae0-5fff9afe 117->123 139 5fff9c70-5fff9c75 119->139 140 5fff9c20-5fff9c29 119->140 124 5fff9a31-5fff9a36 call 5ffeb380 120->124 125 5fff9a01-5fff9a09 120->125 121->113 122->93 128 5fff9b02 call 5fff8010 123->128 131 5fff9b07-5fff9b0b 128->131 134 5fff9b11-5fff9b13 131->134 135 5fff9bc0-5fff9bc6 131->135 134->123 138 5fff9b15 134->138 135->116 137 5fff9b19-5fff9b1b 135->137 142 5fff9ba7-5fff9bad _errno 137->142 143 5fff9b21-5fff9b6f GetSystemTimeAsFileTime call 5ffe5ce0 137->143 138->137 141 5fff9c38-5fff9c4c call 5fff6420 139->141 140->141 144 5fff9c2b-5fff9c2e 140->144 142->107 153 5fff9b71-5fff9b99 call 5ffe5f60 143->153 154 5fff9bf0-5fff9bf4 143->154 147 5fff9c5e-5fff9c66 144->147 148 5fff9c30-5fff9c36 144->148 147->141 148->141 151 5fff9c50-5fff9c5a 148->151 151->141 152 5fff9c5c 151->152 152->147 155 5fff9ba1-5fff9ba4 153->155 154->155 155->142
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 5FFF9678
                                                                                                                                                                                                                        • GetThreadTimes.KERNEL32 ref: 5FFF96A1
                                                                                                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32 ref: 5FFF9717
                                                                                                                                                                                                                        • QueryPerformanceFrequency.KERNEL32 ref: 5FFF9757
                                                                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32 ref: 5FFF976F
                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 5FFF9818
                                                                                                                                                                                                                        • GetProcessTimes.KERNEL32 ref: 5FFF9841
                                                                                                                                                                                                                        • _errno.MSVCRT ref: 5FFF9852
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CurrentPerformanceProcessQueryThreadTimeTimes$CounterFileFrequencySystem_errno
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3786581644-0
                                                                                                                                                                                                                        • Opcode ID: 9067be0ed3d1f93a274ea68dfeb14be4576229c482e0c607cdd9c7c17fe6354e
                                                                                                                                                                                                                        • Instruction ID: 32be8752b78a214fca3ca32c0b4e36de125b7e39be2b1e779ddbcad5f0867ab8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9067be0ed3d1f93a274ea68dfeb14be4576229c482e0c607cdd9c7c17fe6354e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39B102B55083008FC710EF68C98855ABFF6FF89354F058A2EE895D7664E7B4E544CB82
                                                                                                                                                                                                                        Function 5FFF54A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 158 5fff54a0-5fff54bb 159 5fff54c1-5fff54c3 158->159 160 5fff55f0-5fff5600 158->160 161 5fff54ce-5fff54e6 calloc 159->161 162 5fff54c5-5fff54c8 159->162 164 5fff560f-5fff5614 161->164 165 5fff54ec-5fff5553 CreateSemaphoreA * 2 161->165 162->161 163 5fff5608-5fff560d 162->163 166 5fff5598-5fff55a3 163->166 164->166 167 5fff55b7-5fff55b9 165->167 168 5fff5555-5fff5557 165->168 171 5fff55bb-5fff55c4 CloseHandle 167->171 172 5fff55c7-5fff55e5 free 167->172 169 5fff5559-5fff5596 InitializeCriticalSection * 3 168->169 170 5fff55a8-5fff55b4 CloseHandle 168->170 169->166 170->167 171->172
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • calloc.MSVCRT ref: 5FFF54DD
                                                                                                                                                                                                                        • CreateSemaphoreA.KERNEL32 ref: 5FFF551F
                                                                                                                                                                                                                        • CreateSemaphoreA.KERNEL32 ref: 5FFF5546
                                                                                                                                                                                                                        • InitializeCriticalSection.KERNEL32 ref: 5FFF5565
                                                                                                                                                                                                                        • InitializeCriticalSection.KERNEL32 ref: 5FFF5570
                                                                                                                                                                                                                        • InitializeCriticalSection.KERNEL32 ref: 5FFF557B
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CriticalInitializeSection$CreateSemaphore$calloc
                                                                                                                                                                                                                        • String ID: l
                                                                                                                                                                                                                        • API String ID: 2075313795-2517025534
                                                                                                                                                                                                                        • Opcode ID: fdb783dff1ea43411ab62f9ecf23e0a01d725d68fb43330a0a8b487026a6847f
                                                                                                                                                                                                                        • Instruction ID: ad30669fa334862c45e6ce4555e22d032633ad03de5198e28c8cc21728369ff5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fdb783dff1ea43411ab62f9ecf23e0a01d725d68fb43330a0a8b487026a6847f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50416DB25043008FEB00AF68D98839ABFF4EF41314F198A6DD9549B695E775E454CB82
                                                                                                                                                                                                                        Function 5FFFBB90 Relevance: 15.2, APIs: 10, Instructions: 232COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 173 5fffbb90-5fffbbb3 174 5fffbbb8-5fffbbbc 173->174 175 5fffbbc0-5fffbbd4 174->175 175->175 176 5fffbbd6-5fffbbd8 175->176 177 5fffbbde-5fffbbe4 176->177 178 5fffbc64-5fffbc66 176->178 179 5fffbbe6-5fffbbee 177->179 180 5fffbc60-5fffbc62 177->180 181 5fffbc2a-5fffbc34 178->181 183 5fffbc50-5fffbc56 179->183 184 5fffbbf0 179->184 182 5fffbc05-5fffbc28 call 5fffbd40 call 5fffba50 180->182 185 5fffbc36-5fffbc3d 181->185 186 5fffbc72-5fffbc82 call 5ffeb380 181->186 182->174 182->181 183->182 187 5fffbbf2-5fffbbf5 184->187 188 5fffbc40-5fffbc42 184->188 203 5fffbc84-5fffbc8c 186->203 204 5fffbcb0-5fffbcb2 186->204 191 5fffbbf7-5fffbbfa 187->191 192 5fffbc44-5fffbc4d 187->192 188->192 195 5fffbc6d 188->195 197 5fffbbfc-5fffbc03 191->197 198 5fffbc68 191->198 192->182 196 6009f820-6009f82a 195->196 201 6009f82c abort 196->201 202 6009f831-6009f842 call 5ffeb380 196->202 197->182 198->196 201->202 221 6009f849-6009f86f call 5ffeb380 call 6009dce0 call 6009a710 call 6009dce0 call 6009df70 202->221 222 6009f844 abort 202->222 208 5fffbc8e 203->208 209 5fffbcd8-5fffbce3 call 5ffe8c80 203->209 207 5fffbcbe-5fffbcc3 204->207 211 5fffbca0-5fffbca2 208->211 212 5fffbc90-5fffbc92 208->212 225 6009f818-6009f81f abort 209->225 214 5fffbcc8-5fffbcca 211->214 215 5fffbca4-5fffbcaf call 5ffe8c40 211->215 217 5fffbcb8 212->217 218 5fffbc94-5fffbc9f call 5ffe8c90 212->218 214->207 223 5fffbccc 214->223 217->207 217->225 239 6009f871 221->239 240 6009f8e2-6009f8e5 221->240 222->221 223->225 225->196 241 6009f873-6009f893 call 5fffbac0 call 5fffbb90 239->241 240->241 246 6009f895-6009f8aa call 5fffbb90 241->246 247 6009f907-6009f911 241->247 255 6009f918-6009f920 call 5fffbe90 call 5ffeb380 246->255 256 6009f8ac-6009f8c8 call 6009dc80 246->256 249 6009f913 call 6009e1b0 247->249 250 6009f925 call 5ffeb380 247->250 249->255 254 6009f92a-6009f977 call 5ffeb380 abort call 6009dce0 abort call 6009dc80 call 6009e210 250->254 273 6009fa29-6009fa33 call 6009dce0 call 6009de30 254->273 274 6009f97d-6009f9e2 call 6009dce0 fwrite fputs fputc call 6009de30 254->274 255->250 256->254 265 6009f8ca-6009f8dd call 6009e210 256->265 265->240 282 6009f9e7-6009f9f1 273->282 274->282 284 6009f9f3-6009fa0a abort free 282->284 285 6009fa24 call 5ffeb380 282->285 284->285 287 6009fa0c-6009fa22 call 6009e1b0 call 6009de30 284->287 285->273 287->285 295 6009fa35-6009fa48 call 5ffe8f90 call 60093cf0 287->295
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: eca679e1bb5c40de951910998f2a401aa212a88ccbc987e4876e091e60ab303c
                                                                                                                                                                                                                        • Instruction ID: e9dc93a2203cc16e5e477ebc2ea31ce51d1374b08ec8f3363e6c8e2b3cf39e7f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eca679e1bb5c40de951910998f2a401aa212a88ccbc987e4876e091e60ab303c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0B71EDB15483068FC700AFB8C48276EBBE4AF61304F45980EE6C4DB665DF749445EBA3
                                                                                                                                                                                                                        Function 5FFF5620 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 201synchronizationCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 299 5fff5620-5fff563f 300 5fff5645-5fff5654 call 5fff7ac0 299->300 301 5fff5850-5fff5861 call 5ff4fdb0 299->301 308 5fff565a 300->308 309 5fff5710-5fff5718 300->309 306 5fff5898-5fff58b2 WaitForSingleObject 301->306 307 5fff5863-5fff5868 301->307 310 5fff57a9-5fff57b3 306->310 311 5fff58b8-5fff58ba 306->311 312 5fff586a-5fff586c 307->312 313 5fff5890 307->313 314 5fff565e-5fff567f call 5ff4fe90 308->314 315 5fff576d-5fff5782 call 5ff4fdb0 309->315 316 5fff571a-5fff5732 call 5ff4fdb0 309->316 317 5fff57b9-5fff57c2 310->317 318 5fff58f5-5fff5943 call 5ffeb380 EnterCriticalSection LeaveCriticalSection 310->318 311->310 319 5fff57a4 312->319 320 5fff5872-5fff5874 312->320 313->306 333 5fff5685 314->333 334 5fff58c0 314->334 331 5fff5788-5fff578d 315->331 332 5fff5820-5fff5827 call 5fff7c90 315->332 328 5fff57c8-5fff57cf 316->328 329 5fff5738-5fff573d 316->329 356 5fff5958-5fff5980 call 5fff5620 EnterCriticalSection 318->356 357 5fff5945-5fff5950 318->357 319->310 320->310 340 5fff5752-5fff5757 328->340 341 5fff57d1-5fff57d8 call 5fff7c90 328->341 337 5fff5743-5fff5747 329->337 338 5fff57e0-5fff57e2 329->338 343 5fff578f-5fff5791 331->343 344 5fff5760-5fff5767 call 5fff7c90 331->344 360 5fff582d-5fff584b WaitForSingleObject 332->360 361 5fff58e0-5fff58e5 332->361 335 5fff5687-5fff5689 333->335 336 5fff56c0-5fff56ca 333->336 349 5fff58d0-5fff58d5 334->349 346 5fff5814-5fff5816 335->346 347 5fff568f-5fff5692 335->347 352 5fff5880 336->352 353 5fff56d0-5fff56ea WaitForSingleObject 336->353 337->310 348 5fff5749-5fff5750 337->348 358 5fff57f8-5fff580e WaitForSingleObject 338->358 359 5fff57e4-5fff57eb call 5fff7c90 338->359 340->310 351 5fff5759 340->351 341->340 375 5fff57de 341->375 345 5fff5797-5fff579e call 5fff7c90 343->345 343->346 344->315 344->361 345->319 345->361 346->310 347->352 365 5fff5698-5fff56ad ResetEvent 347->365 348->340 348->341 349->340 362 5fff5759 call 5fff7e30 351->362 352->313 353->346 366 5fff56f0-5fff56f5 353->366 381 5fff5998-5fff59a0 356->381 382 5fff5982-5fff5993 LeaveCriticalSection 356->382 358->346 358->349 359->319 383 5fff57ed-5fff57ef 359->383 360->310 361->319 371 5fff58eb 361->371 373 5fff575e 362->373 365->371 372 5fff56b3 365->372 366->310 374 5fff56fb-5fff5702 call 5fff7c90 366->374 379 5fff58eb call 5fff7e30 371->379 378 5fff56b3 call 5fff7e30 372->378 373->310 374->310 387 5fff5708 374->387 375->319 384 5fff56b8 378->384 385 5fff58f0 379->385 381->382 383->316 384->314 385->319 387->319
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 5FFF7AC0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000030,76EBE820), ref: 5FFF7AD0
                                                                                                                                                                                                                          • Part of subcall function 5FF4FE90: WaitForMultipleObjects.KERNEL32 ref: 5FF4FF03
                                                                                                                                                                                                                        • ResetEvent.KERNEL32 ref: 5FFF569F
                                                                                                                                                                                                                          • Part of subcall function 5FFF7E30: TlsGetValue.KERNEL32(?,?,00000000,?,5FFF8065,?,?,?,?,431BDE83,5FFF9B07), ref: 5FFF7E42
                                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32 ref: 5FFF56DF
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ValueWait$EventMultipleObjectObjectsResetSingle
                                                                                                                                                                                                                        • String ID: (
                                                                                                                                                                                                                        • API String ID: 2327612466-3887548279
                                                                                                                                                                                                                        • Opcode ID: b75b9a09ad8f3cde3994685d98b4825ee91b49a0826c665d22f66ab450ef0ec5
                                                                                                                                                                                                                        • Instruction ID: 0969e11b83bd1b176e66376b70ea96041602d041a2bc42df185d38844456947b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b75b9a09ad8f3cde3994685d98b4825ee91b49a0826c665d22f66ab450ef0ec5
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D06190F2915315CBD710AFB585C829ABEE0AF81750F0D482EE984D7A71E635E844CBE3
                                                                                                                                                                                                                        Function 5FCE7610 Relevance: 12.4, APIs: 3, Strings: 5, Instructions: 406stringCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 403 5fce7610-5fce7655 404 5fce765b-5fce765d 403->404 405 5fce79e0-5fce79e8 403->405 406 5fce765f-5fce7667 404->406 407 5fce76a0-5fce76b5 404->407 408 5fce79f5-5fce7a15 call 5fd612f0 405->408 409 5fce766d-5fce7683 406->409 410 5fce7be0-5fce7bf0 406->410 411 5fce76b7-5fce76c7 407->411 419 5fce7a1b-5fce7a24 408->419 420 5fce7870 408->420 409->411 413 5fce7685-5fce7695 409->413 410->411 414 5fce76ea-5fce7710 411->414 415 5fce76c9-5fce76d4 411->415 413->411 418 5fce7714-5fce7765 call 5ffe5f60 414->418 415->414 417 5fce76d6-5fce76e6 415->417 417->414 426 5fce7767-5fce77cb strlen 418->426 423 5fce7a46-5fce7a56 419->423 424 5fce7a26-5fce7a2b 419->424 422 5fce7872-5fce7879 420->422 428 5fce7a5c 423->428 429 5fce7845-5fce784d 423->429 424->420 427 5fce7a31-5fce7a41 memcpy 424->427 430 5fce7990-5fce7996 426->430 431 5fce77d1-5fce77e8 426->431 427->423 432 5fce7a60-5fce7a6e 428->432 433 5fce784f-5fce7854 429->433 434 5fce7890 429->434 438 5fce799c-5fce79a8 430->438 439 5fce7a73-5fce7a75 430->439 435 5fce79ae-5fce79d1 call 5fce6700 431->435 436 5fce77ee-5fce77f7 431->436 432->429 440 5fce7856-5fce785c 433->440 441 5fce7810-5fce781d 433->441 437 5fce7894-5fce789a 434->437 435->436 465 5fce79d7 435->465 436->437 442 5fce77fd-5fce7807 436->442 444 5fce789c-5fce78af 437->444 445 5fce78d5-5fce78e4 437->445 438->435 438->436 446 5fce7a7b-5fce7a8a 439->446 447 5fce7c51 439->447 440->420 449 5fce785e-5fce786b 440->449 441->420 443 5fce781f-5fce7824 441->443 442->433 450 5fce7826-5fce7828 443->450 451 5fce7880-5fce7882 443->451 452 5fce78b0-5fce78ca call 5fce6700 444->452 453 5fce78fd-5fce7918 call 5fce6700 445->453 454 5fce7acc-5fce7ad1 446->454 449->450 456 5fce786d 449->456 462 5fce782e-5fce7830 450->462 463 5fce7920-5fce7926 450->463 458 5fce783d-5fce7842 451->458 459 5fce7884-5fce788c 451->459 452->420 477 5fce78cc-5fce78cf 452->477 473 5fce791a 453->473 474 5fce78f0-5fce78f5 453->474 460 5fce7ad3-5fce7ad9 454->460 461 5fce7a90-5fce7a96 454->461 456->420 458->429 459->433 467 5fce788e 459->467 460->420 469 5fce7adf-5fce7ae5 460->469 461->420 472 5fce7a9c-5fce7aa1 461->472 462->429 470 5fce7832-5fce7837 462->470 463->420 468 5fce792c-5fce7947 463->468 465->420 467->434 468->408 475 5fce794d-5fce796b call 5fd613c0 468->475 469->420 476 5fce7aeb-5fce7aed 469->476 470->432 470->458 478 5fce7aa7-5fce7aa9 472->478 479 5fce7b50-5fce7b52 472->479 473->420 484 5fce78fb 474->484 485 5fce7bf5-5fce7bfb 474->485 475->420 496 5fce7971-5fce7985 475->496 480 5fce7aef-5fce7af5 476->480 481 5fce7aab-5fce7aad 476->481 477->452 483 5fce78d1 477->483 478->480 478->481 486 5fce7aba-5fce7abf 479->486 487 5fce7b58 479->487 480->420 491 5fce7afb-5fce7b12 480->491 488 5fce7ac3-5fce7ac6 481->488 489 5fce7aaf-5fce7ab4 481->489 483->445 484->453 492 5fce7bfd-5fce7c0c 485->492 493 5fce7c36-5fce7c3b 485->493 486->488 487->488 488->454 495 5fce7c40-5fce7c44 488->495 489->486 494 5fce7bc4-5fce7bd3 489->494 497 5fce7b14-5fce7b32 call 5fd613c0 491->497 498 5fce7b60-5fce7b80 call 5fd612f0 491->498 499 5fce7c15-5fce7c2f call 5fce6700 492->499 493->422 494->488 495->447 496->430 497->420 507 5fce7b38-5fce7b49 497->507 498->420 506 5fce7b86-5fce7b91 498->506 508 5fce7c10-5fce7c13 499->508 509 5fce7c31 499->509 510 5fce7bb5-5fce7bbe 506->510 511 5fce7b93-5fce7b98 506->511 507->481 508->493 508->499 509->420 510->488 510->494 511->420 512 5fce7b9e-5fce7bae memcpy 511->512 512->510
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: strlen
                                                                                                                                                                                                                        • String ID: $ $+$0123456789ABCDEF$0123456789abcdef
                                                                                                                                                                                                                        • API String ID: 39653677-2690344263
                                                                                                                                                                                                                        • Opcode ID: 1a21a3df6995429868e2b49fa40a9c125693253f52368ef8a7b184028daec450
                                                                                                                                                                                                                        • Instruction ID: 7f2944f89d7b97d2cc4757f5bda50754d8c9f3289deec1a6d6d84b3087c59477
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a21a3df6995429868e2b49fa40a9c125693253f52368ef8a7b184028daec450
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 440229B46093418FC721CF29C08075BBBE1BF89748F148D2DEAA89B352D775E944CB92
                                                                                                                                                                                                                        Function 5FCDFC10 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 303COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 513 5fcdfc10-5fcdfc39 call 5fd60580 516 5fcdfc3b 513->516 517 5fcdfc50-5fcdfc60 call 5fd74f80 513->517 519 5fcdfc3d-5fcdfc46 516->519 521 5fcdfc66-5fcdfc6b 517->521 522 5fcdff00-5fcdff1e call 5fd61180 517->522 523 5fcdfc6d-5fcdfc72 521->523 524 5fcdfcd0-5fcdfcd5 521->524 522->516 530 5fcdff24-5fcdff44 call 5fd612f0 522->530 527 5fcdfc74-5fcdfc7a 523->527 528 5fcdfcd7-5fcdfce7 call 5fd74f80 523->528 524->527 524->528 531 5fcdfc80-5fcdfc83 527->531 532 5fce0020-5fce003e call 5fd74f80 527->532 538 5fcdfced-5fcdfcfb call 5fdad650 528->538 539 5fcdfe50-5fcdfe66 call 5fcdf8f0 528->539 546 5fcdff74-5fcdff8e call 5fd613a0 530->546 547 5fcdff46-5fcdff6e call 5fe74530 call 5fd74fc0 530->547 535 5fcdfc89-5fcdfc8c 531->535 536 5fce0090-5fce00a6 531->536 549 5fce00ca-5fce0107 call 5fd2beb0 call 5fd2bfc0 call 5fd2c340 532->549 550 5fce0044-5fce0077 call 5fd613a0 call 5fdad400 532->550 541 5fce00b0-5fce00bd call 5fd2beb0 535->541 542 5fcdfc92-5fcdfc97 535->542 536->519 562 5fcdfd01-5fcdfd0a 538->562 563 5fcdfe80-5fcdfe85 538->563 560 5fcdfe8c-5fcdfe98 539->560 561 5fcdfe68-5fcdfe74 call 5fd74f80 539->561 541->549 542->516 548 5fcdfc99-5fcdfcab call 5fd5c050 542->548 546->519 547->521 547->546 576 5fcdfcb1-5fcdfccd SwitchToFiber call 5fd5c050 548->576 577 5fcdfda0-5fcdfdf0 call 5fd2beb0 call 5fd2bfc0 call 5fd2c340 call 5fd74f80 548->577 580 5fce007c-5fce008a 549->580 550->580 560->519 561->563 570 5fcdfe40-5fcdfe47 562->570 571 5fcdfd10-5fcdfd37 call 5fd612f0 562->571 572 5fcdfe87-5fcdfe8a 563->572 573 5fcdfea0-5fcdfeb0 563->573 587 5fcdfd58-5fcdfd93 call 5fd5c100 SwitchToFiber call 5fd5c050 570->587 595 5fcdfd3d-5fcdfd55 memcpy 571->595 596 5fce010c-5fce011c call 5fd74f80 571->596 572->560 572->573 584 5fcdfeb7 call 5fd614d0 573->584 576->524 623 5fcdfdf6-5fcdfe3f call 5fd613a0 call 5fdad400 577->623 624 5fcdff93-5fcdffd0 call 5fd2beb0 call 5fd2bfc0 call 5fd2c340 577->624 580->519 590 5fcdfebc-5fcdfec0 584->590 587->524 590->560 597 5fcdfec2-5fcdfeed CreateFiber 590->597 595->587 609 5fce011e-5fce0149 call 5fd613a0 call 5fdad400 596->609 610 5fce015c-5fce0199 call 5fd2beb0 call 5fd2bfc0 call 5fd2c340 596->610 601 5fcdffd5-5fce0016 call 5fd613a0 DeleteFiber call 5fd613a0 597->601 602 5fcdfef3 597->602 601->560 602->522 625 5fce014e-5fce0157 609->625 610->625 624->601 625->519
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • SwitchToFiber.KERNEL32(?,?,?,?,5FC31CE1,5FC470E0,?,5FC4742C,?,?,?,?,?,?,?,?), ref: 5FCDFCB9
                                                                                                                                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,5FC31CE1,5FC470E0,?,5FC4742C,?,?,?,?,?,?,?), ref: 5FCDFD50
                                                                                                                                                                                                                        • SwitchToFiber.KERNEL32(?,?,?,?,?,5FC31CE1,5FC470E0,?,5FC4742C,?,?,?,?,?,?,?), ref: 5FCDFD7C
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: FiberSwitch$memcpy
                                                                                                                                                                                                                        • String ID: `
                                                                                                                                                                                                                        • API String ID: 148397844-2679148245
                                                                                                                                                                                                                        • Opcode ID: 444701f359683095bb3db78f7751f4cb81eea3dddb63ac2f1d3d76753b21bd55
                                                                                                                                                                                                                        • Instruction ID: d21574f7e487a5ff70d30af91726ea57ae8563cb5a0fe7b1ca6deff5b9305ad8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 444701f359683095bb3db78f7751f4cb81eea3dddb63ac2f1d3d76753b21bd55
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1AD1E2F050A7459BDB40AF64D09471FBBE0BF80784F05892DE9D88B245DBB9D885CBE2
                                                                                                                                                                                                                        Function 5FFF7E30 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 5FFF6AD0: TlsAlloc.KERNEL32(?,?,00000000,5FFF801E,?,?,?,431BDE83,5FFF9B07), ref: 5FFF6B04
                                                                                                                                                                                                                        • TlsGetValue.KERNEL32(?,?,00000000,?,5FFF8065,?,?,?,?,431BDE83,5FFF9B07), ref: 5FFF7E42
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AllocValue
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1189806713-0
                                                                                                                                                                                                                        • Opcode ID: f4d5cdfc348a1c3406f79f8fb14f8edac9c6a3a47dc0a3868a5645fcfe61ada4
                                                                                                                                                                                                                        • Instruction ID: 4b00fe2f7d7fc9cb4a1d44555fa5dda40714144c9955a131475c5b2af77580dd
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4d5cdfc348a1c3406f79f8fb14f8edac9c6a3a47dc0a3868a5645fcfe61ada4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F84186F36157014BDB007FB8988866ABFA4EF01214F094A6AD856CB6B6FA74D840C7D2
                                                                                                                                                                                                                        Function 5FFF66E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 723 5fff66e0-5fff677a GetCurrentThreadId call 5fffa980 OutputDebugStringA abort call 5fff63d0 728 5fff6818-5fff681a 723->728 729 5fff6780-5fff6782 723->729 731 5fff679d-5fff679f 728->731 729->728 730 5fff6788 729->730 732 5fff6790-5fff6797 730->732 733 5fff67a1-5fff67a5 731->733 734 5fff67f0-5fff6811 fprintf 731->734 732->734 735 5fff6799-5fff679b 732->735 736 5fff67a7-5fff67b8 call 5fff6420 733->736 737 5fff67c0-5fff67d0 call 5ff4f980 733->737 734->736 735->731 735->732 743 5fff67df-5fff67e4 737->743 744 5fff67d2 737->744 745 5fff67d5-5fff67dd free 743->745 744->745 745->736
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CurrentDebugOutputStringThreadabortfprintf
                                                                                                                                                                                                                        • String ID: 5
                                                                                                                                                                                                                        • API String ID: 4086887302-2226203566
                                                                                                                                                                                                                        • Opcode ID: f9a743ee97d0825423d7f0e6982a268516166e290af4dc7e070a4879f699654c
                                                                                                                                                                                                                        • Instruction ID: e45beb523e02dbb2a678baa97d953e1b5d11d56ea7d3a5c548cb761f5e013528
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9a743ee97d0825423d7f0e6982a268516166e290af4dc7e070a4879f699654c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 563166F28157019BCB00AFB4C89479EBFF4BF44304F058A2DD899D7661EB74A584CB92
                                                                                                                                                                                                                        Function 5FFF7BB0 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 746 5fff7bb0-5fff7bcb call 5fff6cc0 749 5fff7bcd call 5fff6cf0 746->749 750 5fff7bd2-5fff7bd6 746->750 749->750 752 5fff7bec-5fff7bff TlsGetValue 750->752 753 5fff7bd8-5fff7be6 longjmp 750->753 754 5fff7c2d-5fff7c30 _endthreadex 752->754 755 5fff7c01-5fff7c08 752->755 753->752 758 5fff7c36-5fff7c4b CloseHandle 754->758 756 5fff7c6d-5fff7c75 755->756 757 5fff7c0a-5fff7c16 755->757 759 5fff7c77-5fff7c80 CloseHandle 756->759 760 5fff7c81-5fff7c89 756->760 761 5fff7c18-5fff7c21 CloseHandle 757->761 762 5fff7c22-5fff7c2b 757->762 763 5fff7c4e-5fff7c6b call 5fff6ab0 TlsSetValue 758->763 759->760 760->763 761->762 762->754 762->758 763->754
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                          • Part of subcall function 5FFF6B90: TlsGetValue.KERNEL32 ref: 5FFF6CD0
                                                                                                                                                                                                                        • longjmp.MSVCRT ref: 5FFF7BE6
                                                                                                                                                                                                                        • TlsGetValue.KERNEL32(?,?,?,0000001C,5FFF7D9F,?,?,?,?,00000000,5FFF7EDE,?,?,?,00000000,?), ref: 5FFF7BF4
                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0000001C,5FFF7D9F,?,?,?,?,00000000,5FFF7EDE,?,?,?,00000000), ref: 5FFF7C1B
                                                                                                                                                                                                                        • _endthreadex.MSVCRT(?,?,?,?,0000001C,5FFF7D9F,?,?,?,?,00000000,5FFF7EDE,?,?,?,00000000), ref: 5FFF7C30
                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0000001C,5FFF7D9F,?,?,?,?,00000000,5FFF7EDE,?,?,?,00000000), ref: 5FFF7C42
                                                                                                                                                                                                                        • TlsSetValue.KERNEL32(?,?,?,?,?,0000001C,5FFF7D9F,?,?,?,?,00000000,5FFF7EDE), ref: 5FFF7C63
                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0000001C,5FFF7D9F,?,?,?,?,00000000,5FFF7EDE,?,?,?,00000000), ref: 5FFF7C7A
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CloseHandleValue$_endthreadexlongjmp
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3990644698-0
                                                                                                                                                                                                                        • Opcode ID: 8cd7c540be347e958f29b062bdf8dc7414b9956c295db2388ae430956c97dd5c
                                                                                                                                                                                                                        • Instruction ID: ee59aa62ab4c3a21d7f7d04fae1a36f5235ef3d8fca4cebc91ff5cb2a65b6cfb
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8cd7c540be347e958f29b062bdf8dc7414b9956c295db2388ae430956c97dd5c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E21E9F16157008FDB01AF74C9CC666BFE8EF09704F058869E985DB666E7B4D840CBA1
                                                                                                                                                                                                                        Function 6009DBF0 Relevance: 9.1, APIs: 6, Instructions: 77COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: malloc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2803490479-0
                                                                                                                                                                                                                        • Opcode ID: 6206a06ccd407bad243e07bfe800e85e46b0d8543e7a4d390109db0781216af3
                                                                                                                                                                                                                        • Instruction ID: 10098b23ae91197f68c9ac6d70324ea245b277192757d5babcd4273e379e4317
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6206a06ccd407bad243e07bfe800e85e46b0d8543e7a4d390109db0781216af3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01210CB05593418FD300BFB8C54672EBAE4AF65304F41A81DE5D89B256DBB48840EBA3
                                                                                                                                                                                                                        Function 5FCDF8F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 172COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: `$e
                                                                                                                                                                                                                        • API String ID: 0-2074502723
                                                                                                                                                                                                                        • Opcode ID: a06c4c5b33b08ba6e30801fdecc13fa0a8c6228509352896d1fb7ad63313f481
                                                                                                                                                                                                                        • Instruction ID: 24b542c01a74d3f87200467693a6f3cc7295b6b84a14c08d411f1a281bfbf3bd
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a06c4c5b33b08ba6e30801fdecc13fa0a8c6228509352896d1fb7ad63313f481
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF71B1F050A346ABD740AFA4D49475FBAE4BF80798F01882DE5C98B251D7B9D484CBE3
                                                                                                                                                                                                                        Function 5FFF9E70 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • calloc.MSVCRT ref: 5FFF9E98
                                                                                                                                                                                                                        • free.MSVCRT ref: 5FFF9F27
                                                                                                                                                                                                                        • free.MSVCRT ref: 5FFF9F4F
                                                                                                                                                                                                                          • Part of subcall function 5FFF54A0: calloc.MSVCRT ref: 5FFF54DD
                                                                                                                                                                                                                          • Part of subcall function 5FFF54A0: CreateSemaphoreA.KERNEL32 ref: 5FFF551F
                                                                                                                                                                                                                          • Part of subcall function 5FFF54A0: CreateSemaphoreA.KERNEL32 ref: 5FFF5546
                                                                                                                                                                                                                          • Part of subcall function 5FFF54A0: InitializeCriticalSection.KERNEL32 ref: 5FFF5565
                                                                                                                                                                                                                          • Part of subcall function 5FFF54A0: InitializeCriticalSection.KERNEL32 ref: 5FFF5570
                                                                                                                                                                                                                          • Part of subcall function 5FFF54A0: InitializeCriticalSection.KERNEL32 ref: 5FFF557B
                                                                                                                                                                                                                        • free.MSVCRT ref: 5FFF9F97
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CriticalInitializeSectionfree$CreateSemaphorecalloc
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3430360044-3916222277
                                                                                                                                                                                                                        • Opcode ID: 5e17245b14a16c47887db4d77e7442e1f41ca2bef3267d77ef55ec6c467aa379
                                                                                                                                                                                                                        • Instruction ID: 1a3eb197f471da4313ce0937b8971a3ab67bfe03a993d8b7369fa92827acd494
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e17245b14a16c47887db4d77e7442e1f41ca2bef3267d77ef55ec6c467aa379
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37317CB16193009FD314AF66E88435FBBE5EF84324F09882ED488CB695E376D449CBD2
                                                                                                                                                                                                                        Function 5FFF9A40 Relevance: 6.2, APIs: 4, Instructions: 165timeCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Time$FileSystem_errno
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3586254970-0
                                                                                                                                                                                                                        • Opcode ID: fe0d0687a48d7144e88008d5c01635f030ea56baf31f0921f1f09efeb84f89d2
                                                                                                                                                                                                                        • Instruction ID: 78827df70b1d67b005907acda5d40f748e6e85fa9448afa4a05c4f2cec882b91
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe0d0687a48d7144e88008d5c01635f030ea56baf31f0921f1f09efeb84f89d2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9516DB26083048FC710DF69C98465BBBE6BFC8314F598A2DE998D7764E770D905CB82
                                                                                                                                                                                                                        Function 5FFFBD40 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • abort.MSVCRT(?,?,?,?,?,?,5FFFBC17), ref: 6009F810
                                                                                                                                                                                                                        • abort.MSVCRT(?,?,?,?,?,?,5FFFBB6C), ref: 6009F818
                                                                                                                                                                                                                        • abort.MSVCRT(?,?,?,?,?,?,5FFFBC17), ref: 6009F82C
                                                                                                                                                                                                                        • abort.MSVCRT(?,?,?,?,?,?,5FFFBC17), ref: 6009F844
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: abort
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 4206212132-0
                                                                                                                                                                                                                        • Opcode ID: 08aa0320bb69de8eebb76955aca1d4c089c30a7db2b6477e920e50f297c5641e
                                                                                                                                                                                                                        • Instruction ID: 56c1fbe806b46733acc050b8333a9ad1403564df51e99f81a08c62df87a1a600
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08aa0320bb69de8eebb76955aca1d4c089c30a7db2b6477e920e50f297c5641e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 874106B22483068FC704DF68D4817AA77E5FF82308F18896EE184CB769DB31D806D792
                                                                                                                                                                                                                        Function 5FF4FB30 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32 ref: 5FF4FB60
                                                                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 5FF4FB6D
                                                                                                                                                                                                                        • QueryPerformanceFrequency.KERNEL32 ref: 5FF4FBD7
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: PerformanceQuery$CountCounterFrequencyTick
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 713402817-0
                                                                                                                                                                                                                        • Opcode ID: fb3646bd5c2c9e901f765ef1966b088a4ce7d3d64bfc5ac46c55006e71b39b0b
                                                                                                                                                                                                                        • Instruction ID: 8b3da444b8b0c51a3cff9b6e481486876d64cef5d54b18151e45f9db383886f9
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb3646bd5c2c9e901f765ef1966b088a4ce7d3d64bfc5ac46c55006e71b39b0b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A33105B59083019FC704EF38D99865ABFE1BF89314F018A29E898D7794E734E549CF92
                                                                                                                                                                                                                        Function 5FD2BFC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: strlen$strcpy
                                                                                                                                                                                                                        • String ID: B
                                                                                                                                                                                                                        • API String ID: 2790333442-1255198513
                                                                                                                                                                                                                        • Opcode ID: c62bbfd32aa233bfbc315185da103b11445fadf2e8b9db339360f7d23e5e9c4c
                                                                                                                                                                                                                        • Instruction ID: 31326df409960131b68c9671b748794df43f81eef59a91aefc6d4458d6f5c4a3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c62bbfd32aa233bfbc315185da103b11445fadf2e8b9db339360f7d23e5e9c4c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F2153F180A7059FD740AF64C58479ABBE0FF80758F49486EE8888B352E775D844DBD2
                                                                                                                                                                                                                        Function 6007A400 Relevance: 5.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • memset.MSVCRT ref: 6007A49E
                                                                                                                                                                                                                        • memmove.MSVCRT(?,?,?,?,?,00000000,00000000,?,?,5FC37F62), ref: 6007A4BE
                                                                                                                                                                                                                        • memset.MSVCRT ref: 6007A5B4
                                                                                                                                                                                                                          • Part of subcall function 6009DBF0: malloc.MSVCRT ref: 6009DC07
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: memset$mallocmemmove
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1346079573-0
                                                                                                                                                                                                                        • Opcode ID: d3b42911c038f07576e0af3334411be014aff8536b2ed81f907fef41cc6344e3
                                                                                                                                                                                                                        • Instruction ID: 810edde78764ecdd95e185fb1eb8d6eda50409e8ab6a13817434fd67f1684a4d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d3b42911c038f07576e0af3334411be014aff8536b2ed81f907fef41cc6344e3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C25115B16097028FC314DF29D58061AFBE1AFD9350F20C92EE8988B365D735D949CBA6
                                                                                                                                                                                                                        Function 5FFF5B50 Relevance: 5.1, APIs: 4, Instructions: 85COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0000001C,?,5FFFA59B), ref: 5FFF5B96
                                                                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0000001C,?,5FFFA59B), ref: 5FFF5C26
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3168844106-0
                                                                                                                                                                                                                        • Opcode ID: 1882d716163836c3d614a7b9a1da24184421eef79858d83447bd1d423feddb59
                                                                                                                                                                                                                        • Instruction ID: f3d99280cc1de462ebb7a8a9faf355e9ddc5cc04f83ce92e1424d2d1c40e8b8f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1882d716163836c3d614a7b9a1da24184421eef79858d83447bd1d423feddb59
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3310BB25082008FDB04EF39D8C469ABBE0FF44314F498669EC15CB65AE731E995CB92
                                                                                                                                                                                                                        Function 5FFF5900 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0000001C,00000030,00000050,?,5FFF5BD1), ref: 5FFF5920
                                                                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0000001C,00000030,00000050,?,5FFF5BD1), ref: 5FFF593C
                                                                                                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,0000001C,00000030,00000050,?,5FFF5BD1), ref: 5FFF5979
                                                                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,0000001C,00000030,00000050,?,5FFF5BD1), ref: 5FFF5985
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2188649953.000000005FC31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 5FC30000, based on PE: true
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2187893880.000000005FC30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199748994.00000000600A9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2199882753.000000006017E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201503437.0000000060265000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201528488.0000000060266000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201547808.0000000060267000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2201575734.000000006026B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5fc30000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3168844106-0
                                                                                                                                                                                                                        • Opcode ID: 12eed81778f3fb155304f6a1f1e42c6c89e0aff5d32ce71b824bb9d6440df256
                                                                                                                                                                                                                        • Instruction ID: 2932b088662d8673e7332822c4a7fa585141338b6ff05254ea44bf29daca6958
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12eed81778f3fb155304f6a1f1e42c6c89e0aff5d32ce71b824bb9d6440df256
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4211F5B5A083108FC714EF39E98550ABBE0EF89661F06492DE988D7321D231E858CB92

                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                        Execution Coverage:7%
                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                        Total number of Nodes:81
                                                                                                                                                                                                                        Total number of Limit Nodes:6
                                                                                                                                                                                                                        execution_graph 6337 b19a60 6338 b19a6a 6337->6338 6339 b19aa1 6338->6339 6340 b19ac4 Sleep 6338->6340 6340->6339 6259 b1b498 6260 b1b4a0 SysAllocStringLen 6259->6260 6261 b1b318 6259->6261 6262 b1b2b0 6260->6262 6263 b1ae18 6264 b1ae1f 6263->6264 6266 b1ae2f 6264->6266 6267 b1b734 6264->6267 6268 b1b738 6267->6268 6271 b1b2b0 6267->6271 6269 b1b318 6268->6269 6270 b1b74b SysReAllocStringLen 6268->6270 6269->6264 6270->6271 6271->6264 6272 b1b158 6273 b1b160 6272->6273 6274 b1b182 6273->6274 6276 b1b208 6273->6276 6277 b1b214 6276->6277 6278 b1b21c RtlExitUserThread 6276->6278 6277->6278 6278->6274 6341 1021218 PostThreadMessageW 6342 1021241 6341->6342 6279 b74f3c 6280 b74f5b RegOpenKeyExW RegQueryValueExW 6279->6280 6343 1021f9e 6344 1021fa9 6343->6344 6345 1021fa4 6343->6345 6346 c5be64 ResumeThread 6345->6346 6346->6344 6282 c5bd28 6283 c5bd30 6282->6283 6284 c5bd3a 6282->6284 6286 c5be64 6283->6286 6287 c5be6c 6286->6287 6289 c5be8e 6286->6289 6288 c5be78 ResumeThread 6287->6288 6287->6289 6288->6289 6289->6284 6290 102150c 6293 1021688 6290->6293 6295 10216b3 6293->6295 6294 1021710 6295->6294 6297 1021150 6295->6297 6298 1021176 6297->6298 6299 10211bf 6298->6299 6300 c5be64 ResumeThread 6298->6300 6302 102124c 6298->6302 6300->6299 6308 1021138 6302->6308 6305 1021138 SetServiceStatus 6306 10212a6 6305->6306 6306->6305 6309 1021147 6308->6309 6310 102114c 6308->6310 6318 1021034 6309->6318 6312 c5b970 6310->6312 6313 c5b976 6312->6313 6322 c5ba0c 6313->6322 6315 c5b98d 6316 c5b998 6315->6316 6317 c5be64 ResumeThread 6315->6317 6316->6306 6317->6316 6319 1021060 SetServiceStatus 6318->6319 6321 10210f0 6319->6321 6323 c5ba1d 6322->6323 6324 c5ba6b 6323->6324 6327 b1b190 6323->6327 6331 b1b18e 6323->6331 6328 b1b1ad CreateThread 6327->6328 6330 b1b1f5 6328->6330 6330->6324 6332 b1b190 CreateThread 6331->6332 6334 b1b1f5 6332->6334 6334->6324 6347 104073a 6348 1040690 6347->6348 6349 1040766 SleepEx 6348->6349 6350 10407bc 6348->6350 6349->6348 6351 1340a4a 6352 1340a56 6351->6352 6353 1340a6f 6352->6353 6355 1340d60 6352->6355 6356 1340d74 6355->6356 6357 1340dab 6355->6357 6356->6357 6358 c5b970 3 API calls 6356->6358 6357->6353 6358->6357 6335 c5bf2a SetThreadPriority 6336 c5bf53 6335->6336

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 00B19A60 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53sleepCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 0 b19a60-b19a68 1 b19a73-b19a76 0->1 2 b19a6a-b19a71 0->2 4 b19a78-b19a7d 1->4 5 b19a7f 1->5 2->1 3 b19ad4-b19add call b19b28 2->3 8 b19ae2-b19ae7 3->8 7 b19a81-b19a9f 4->7 5->7 9 b19aa1-b19aa8 7->9 10 b19aaa-b19ac2 7->10 11 b19ae9 8->11 12 b19aef-b19af0 8->12 9->8 13 b19ac4-b19acb Sleep 10->13 14 b19acd-b19ad2 10->14 11->12 13->8 14->8
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000000,?,00B19B19,?,?,00B19D58), ref: 00B19AC6
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000B19000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00B19000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_b19000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Sleep
                                                                                                                                                                                                                        • String ID: gfff$gfff
                                                                                                                                                                                                                        • API String ID: 3472027048-3084402119
                                                                                                                                                                                                                        • Opcode ID: 775bd7b923cd56bb7696de1cfb51632b5dab49b8ce3efb35a9d81d5411332714
                                                                                                                                                                                                                        • Instruction ID: a8c8ee7a09ac8fa2ac2597a45b30ee017015b7d6af78291346cdc3a0c9023084
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 775bd7b923cd56bb7696de1cfb51632b5dab49b8ce3efb35a9d81d5411332714
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E101AC717145908FDB7C993DACA17E821C6FFC1301FD442B5E902CD2C9D5B198C58243
                                                                                                                                                                                                                        Function 00B74F3C Relevance: 3.0, APIs: 2, Instructions: 49registryCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 17 b74f3c-b74f5d 19 b74f7f-b74fee RegOpenKeyExW RegQueryValueExW 17->19 20 b74f5f-b74f75 17->20 20->19
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000002,00B750E0,00000000,00020019,?), ref: 00B74FB7
                                                                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(?,00B7513C,00000000,00000000,00000000,?,00000000,00B750CE), ref: 00B74FE5
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000B73000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00B73000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_b73000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: OpenQueryValue
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 4153817207-0
                                                                                                                                                                                                                        • Opcode ID: 4632d7d4344e799f2ce53669f194cf9e359f6a535158dff5000e0ec9440b48fa
                                                                                                                                                                                                                        • Instruction ID: 4976c18437438a615d951f78290a7f2c8b599398e3fb8c1706eccb4c8b768913
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4632d7d4344e799f2ce53669f194cf9e359f6a535158dff5000e0ec9440b48fa
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E118474A40708BBDB30EAA19C42BDE77E8EB04740F5044E9FA08E7281E7F09A44DB90
                                                                                                                                                                                                                        Function 01040658 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 22 1040658-1040688 24 1040690-10406a1 22->24 25 10406d6-10406df call 1040624 24->25 26 10406a3-10406ab 24->26 32 1040756-104075a 25->32 33 10406e1-10406ea call 1040624 25->33 27 10406bd-10406c6 call 1040624 26->27 27->25 34 10406c8-10406d4 27->34 35 104075c-1040764 32->35 36 104079a-10407a4 call 10407e4 32->36 33->32 42 10406ec-10406f6 33->42 34->25 39 10406ad-10406b9 34->39 40 1040776-104077f call 1040624 35->40 46 10407a6-10407ad 36->46 47 10407af-10407b6 36->47 39->27 40->36 54 1040781-104078d 40->54 42->32 45 10406f8-1040702 42->45 50 1040704-104070b 45->50 51 1040715-1040730 45->51 46->47 52 1040791-1040793 46->52 47->24 53 10407bc-10407c4 47->53 58 1040713 50->58 51->32 52->36 55 10407c9-10407d9 53->55 56 1040766-1040772 SleepEx 54->56 57 104078f 54->57 56->40 57->36 58->32
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • SleepEx.KERNELBASE(0000000A,00000000), ref: 0104076A
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001040000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01040000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1040000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Sleep
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3472027048-0
                                                                                                                                                                                                                        • Opcode ID: ab86b59b600f96e414820d435548884d2a61e234968bfeac6609859610807f4c
                                                                                                                                                                                                                        • Instruction ID: 4d5807dfd43fa2eafd04c5242bf1577ef2c1ac86b74f17c5f2546bec344e7f02
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab86b59b600f96e414820d435548884d2a61e234968bfeac6609859610807f4c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 314159B0A04204AFEB51DB68C9C1EDDBBE5FF49310F2540E4FA85BB696D730AE44CA11
                                                                                                                                                                                                                        Function 01021034 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 63 1021034-102106a 65 1021073-102107a 63->65 66 102106c-1021071 63->66 67 102107d-1021089 65->67 66->67 69 102108b-1021095 67->69 70 1021098 67->70 69->70 71 10210a7-10210a9 70->71 72 102109a-10210a0 70->72 74 10210ac-10210d3 71->74 72->71 73 10210a2-10210a5 72->73 73->74 75 10210d5 74->75 76 10210dc-10210ee SetServiceStatus 74->76 75->76 77 1021112-102111a 76->77 78 10210f0-102110b 76->78 79 102111f-102112f 77->79 78->77
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • SetServiceStatus.SECHOST(?,?), ref: 010210E7
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001021000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01021000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1021000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ServiceStatus
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3969395364-0
                                                                                                                                                                                                                        • Opcode ID: 4322f55200d324658de4c8ad564a0d569913b1086a1a024a58c8958ca9ed6218
                                                                                                                                                                                                                        • Instruction ID: 37bc672865d1016516e64e22fb09a27a81198eba1ec2641c3751432dc1202ba8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4322f55200d324658de4c8ad564a0d569913b1086a1a024a58c8958ca9ed6218
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8121CE70F043A98FDB41CF7988917ADBBF5AF49300F1484B5E899EA246E77C99018B64
                                                                                                                                                                                                                        Function 00B1B190 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 84 b1b190-b1b1ab 85 b1b1bb-b1b1c9 84->85 86 b1b1ad-b1b1b9 84->86 89 b1b1cc-b1b1f3 CreateThread 85->89 86->89 90 b1b1f5 89->90 91 b1b1fc-b1b204 89->91 90->91
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateThread.KERNEL32(?,?,Function_00002158,00000000,?,?), ref: 00B1B1EA
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000B19000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00B19000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_b19000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateThread
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                                                                                                        • Opcode ID: 358bf576e56decd8f2e7f90188ea1eefff155e9cbdee11c1dd08b084efa6ea4a
                                                                                                                                                                                                                        • Instruction ID: 90499d4bc656283a46e3b035ad38752cc10136c22081e1547216edf0f09ffd66
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 358bf576e56decd8f2e7f90188ea1eefff155e9cbdee11c1dd08b084efa6ea4a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C014F76A05214AFC720DB9D9884ACAB7ECEB59320F9041A6F508EB341D7709D41C7A4
                                                                                                                                                                                                                        Function 00B1B18E Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 92 b1b18e-b1b1ab 94 b1b1bb-b1b1c9 92->94 95 b1b1ad-b1b1b9 92->95 98 b1b1cc-b1b1f3 CreateThread 94->98 95->98 99 b1b1f5 98->99 100 b1b1fc-b1b204 98->100 99->100
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateThread.KERNEL32(?,?,Function_00002158,00000000,?,?), ref: 00B1B1EA
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000B19000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00B19000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_b19000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateThread
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                                                                                                        • Opcode ID: 0c69140d9d37e8d12476f1714a0e3da4f894065d0a7fb311409a74fd4bd2e766
                                                                                                                                                                                                                        • Instruction ID: 0734034f163c89abbfd6d30daa01ff5cca3473fd5784e5c8a074fe7affb5962d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c69140d9d37e8d12476f1714a0e3da4f894065d0a7fb311409a74fd4bd2e766
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22F0AF76B04214BFC720CA9DAC84EDAB7ECEB49320F9041A6F908E7380D770DD8187A4
                                                                                                                                                                                                                        Function 00C5BE64 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 101 c5be64-c5be6a 102 c5bea7-c5beb9 101->102 103 c5be6c-c5be70 101->103 107 c5bebe-c5bebf 102->107 103->102 104 c5be72-c5be76 103->104 104->102 106 c5be78-c5be8c ResumeThread 104->106 106->107 108 c5be8e-c5bea6 106->108
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • ResumeThread.KERNELBASE(?), ref: 00C5BE84
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000C5B000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C5B000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_c5b000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                                        • Opcode ID: cb7d296a45ca4d03d5673869a39be6bf716902801033117cdfc206ba527e85e4
                                                                                                                                                                                                                        • Instruction ID: c54b9e052dcea587a4dd7e47a586ee19a2317fedb1f4093f60b181b7c428ae5d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb7d296a45ca4d03d5673869a39be6bf716902801033117cdfc206ba527e85e4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4AF058645012809BDB20EBB4D4D679A2BD69F85309F0C80CAE8984E357C7A2ADC8D322
                                                                                                                                                                                                                        Function 00B1B734 Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 111 b1b734-b1b736 112 b1b738-b1b73a 111->112 113 b1b75b 111->113 114 b1b740-b1b745 112->114 115 b1b318-b1b31c 112->115 114->115 118 b1b74b-b1b755 SysReAllocStringLen 114->118 116 b1b32c 115->116 117 b1b31e-b1b32b 115->117 117->116 118->113 119 b1b2b0-b1b2ba 118->119 122 b1b2cc 119->122 123 b1b2bc-b1b2c6 119->123 123->119 123->122
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • SysReAllocStringLen.OLEAUT32(?,?,?,00B1AE29), ref: 00B1B74E
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000B19000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00B19000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_b19000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AllocString
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                                                                                                        • Opcode ID: 42b17b69e7c34a539a1e38d6f70af66ede4161eb92af256fead160cf4ab1be79
                                                                                                                                                                                                                        • Instruction ID: 03f4227ee41ea208abdbb79dbd34501e440feb044578c70d96712d8d5d9f1d1c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42b17b69e7c34a539a1e38d6f70af66ede4161eb92af256fead160cf4ab1be79
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 92E012B4500301DEEA249A149955EBB36EDEBD2302FE9C5DCA4219B244DB359CC0D778
                                                                                                                                                                                                                        Function 00C5BF2A Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 125 c5bf2a-c5bf4e SetThreadPriority call c5bd10 127 c5bf53-c5bf55 125->127
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • SetThreadPriority.KERNELBASE(?), ref: 00C5BF41
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000C5B000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C5B000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_c5b000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: PriorityThread
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2383925036-0
                                                                                                                                                                                                                        • Opcode ID: 1804b150487d566257c4a539f8fab5237cca69a1f2fc754c77617693a8efd8d8
                                                                                                                                                                                                                        • Instruction ID: 5c2c9c2798e3ee5189f5fe75aef81859873d1d67bf9e32f593d0779066a102c8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1804b150487d566257c4a539f8fab5237cca69a1f2fc754c77617693a8efd8d8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9D022777004291F8328EAFDA880CAE62CDCB8C2163008423F048C3318D225CC4943A4
                                                                                                                                                                                                                        Function 01021218 Relevance: 1.5, APIs: 1, Instructions: 18threadwindowCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 128 1021218-102123f PostThreadMessageW 129 1021241 128->129 130 1021246-1021248 128->130 129->130
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • PostThreadMessageW.USER32(?,00000401,?,00000000), ref: 01021230
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001021000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01021000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1021000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 1836367815-0
                                                                                                                                                                                                                        • Opcode ID: c40ac58bcbe592e67436c6c1658b3d70315458617669241c6911774ac0858f01
                                                                                                                                                                                                                        • Instruction ID: 05a578d2de7cb1b4dc0dde5afb4cf57f7adb1fd8aaf756ae963fc41882e59490
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c40ac58bcbe592e67436c6c1658b3d70315458617669241c6911774ac0858f01
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ECD05EB12002006FF700A6A9D8CAF6177DCEB45714F4940A0FF0C8F293C1B1AC408364
                                                                                                                                                                                                                        Function 00B1B498 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 131 b1b498-b1b49a 132 b1b4a0-b1b4ab SysAllocStringLen 131->132 133 b1b318-b1b31c 131->133 134 b1b4b1-b1b4ba 132->134 135 b1b2b0-b1b2ba 132->135 136 b1b32c 133->136 137 b1b31e-b1b32b 133->137 141 b1b2cc 135->141 142 b1b2bc-b1b2c6 135->142 137->136 142->135 142->141
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • SysAllocStringLen.OLEAUT32(?,00000000,?,00B1B5F3), ref: 00B1B4A3
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000B19000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00B19000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_b19000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: AllocString
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                                                                                                        • Opcode ID: 6a9c2ce9cc4a789dd8b7f56db604f782f191c8b2ddce53fb5c404305489610a8
                                                                                                                                                                                                                        • Instruction ID: 2f5b6446764140a90a39fb2783ce2f3e6460cee0d1936569c76a20863f622445
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a9c2ce9cc4a789dd8b7f56db604f782f191c8b2ddce53fb5c404305489610a8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06C0127814570199EA152B3059059BA17DCED953017D000D9B91085101E635D4D01564
                                                                                                                                                                                                                        Function 00B1B208 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 144 b1b208-b1b212 145 b1b214 144->145 146 b1b21c-b1b223 RtlExitUserThread 144->146 145->146
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000B19000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00B19000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_b19000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ExitThreadUser
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3424019298-0
                                                                                                                                                                                                                        • Opcode ID: 842a97c99812e5ca0e82c56dba980c36002d82f2aaaccd4a032a2104f68630b0
                                                                                                                                                                                                                        • Instruction ID: 71dc9ff393d6fc1844779c15e4f0b6648f5b76d09a8390a0332ce7c7857f73af
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 842a97c99812e5ca0e82c56dba980c36002d82f2aaaccd4a032a2104f68630b0
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9AC04C656412018BC22026B4A98864975A85748211FD4146462078B146C77844858758
                                                                                                                                                                                                                        Function 00FF859C Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 147 ff859c-ff85ad 148 ff85bf-ff85f1 147->148 149 ff85af-ff85b5 147->149 152 ff8791-ff8798 148->152 149->148 153 ff879e-ff87a6 152->153 154 ff85f6-ff8600 call ff8a98 152->154 155 ff87ab-ff87bb 153->155 159 ff863a-ff867a 154->159 160 ff8602-ff8614 call ff8a98 154->160 164 ff86df-ff86fd 159->164 165 ff867c 159->165 160->159 171 ff8616-ff861d 160->171 175 ff8732-ff8747 164->175 167 ff86d1-ff86db call ff8a98 165->167 176 ff867e-ff8691 call ff9bbf 167->176 177 ff86dd 167->177 171->153 174 ff8623-ff8634 171->174 174->153 174->159 175->152 180 ff8694-ff869c 176->180 177->175 180->167
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FF8000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ff8000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: IdThread (unknown)
                                                                                                                                                                                                                        • API String ID: 0-2043411369
                                                                                                                                                                                                                        • Opcode ID: 3a29a051106d279efc3729479d48e12d141e8987f06ddb1f9a877024af7b4140
                                                                                                                                                                                                                        • Instruction ID: 7894a189c6719e6d40f86a7d3cab724347da302983e3fa129d2839cd08a036cf
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a29a051106d279efc3729479d48e12d141e8987f06ddb1f9a877024af7b4140
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB418D31604648EFD712DF24C995A69BBF5FF0A790B6244A0F900E7A71CB34EE12FA51
                                                                                                                                                                                                                        Function 0101C710 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 183 101c710-101c773 call 101c6f0 190 101c7a3-101c7cb 183->190 191 101c775-101c783 183->191 197 101c7da-101c7f5 190->197 198 101c7cd-101c7d0 190->198 191->190 194 101c785-101c78a 191->194 196 101c78f-101c791 194->196 199 101c793-101c798 196->199 200 101c79d-101c7a1 196->200 203 101c7f7-101c801 197->203 204 101c82d-101c834 197->204 198->197 205 101c892-101c89a 199->205 200->190 200->196 212 101c803-101c80d 203->212 213 101c812-101c825 203->213 206 101c851-101c859 204->206 207 101c836-101c849 204->207 208 101c89f-101c8bc 205->208 209 101c85e-101c86e 206->209 207->206 212->205 213->204
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.000000000101C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0101C000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_101c000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: loopback
                                                                                                                                                                                                                        • API String ID: 0-3546420730
                                                                                                                                                                                                                        • Opcode ID: 63c5056ddbe7927af64efa15b84716879da959a1138d3b5b18da165b30984279
                                                                                                                                                                                                                        • Instruction ID: 43f715fde8778e5b8981ec455282044374b973e7bbaf97c3227219c4efcf2a26
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63c5056ddbe7927af64efa15b84716879da959a1138d3b5b18da165b30984279
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14411474A40208AFEB01EFA8D991D9EBBF8FF49310F6085A5E854E7665D734EE40CB50
                                                                                                                                                                                                                        Function 01A167B0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 220 1a167b0-1a167d4 223 1a167d9-1a167e7 220->223 224 1a167e9-1a167ec 223->224 225 1a167ee-1a1696d 223->225 224->225 226 1a167fd-1a16849 224->226 232 1a1684e-1a16861 226->232
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        • TProcessMessagesThread.Execute, xrefs: 01A167BE
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001A16000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01A16000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1a16000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: TProcessMessagesThread.Execute
                                                                                                                                                                                                                        • API String ID: 0-3632000192
                                                                                                                                                                                                                        • Opcode ID: 23d8020197c2a155c171dee5379c405318bf06d4c3b508c2f5443db70442907b
                                                                                                                                                                                                                        • Instruction ID: f5fba26a69de90f3a2518c03838184a98ec64ee881330e70ce431f47621b0c40
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23d8020197c2a155c171dee5379c405318bf06d4c3b508c2f5443db70442907b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8215974A04205EFD700EF69D981A89B7F6FB49324F2082A5F828DB3A5C771ED40DB90
                                                                                                                                                                                                                        Function 00DF3DE0 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000DF3000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00DF3000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_df3000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 47532edffdc485e4fda10b4afa671e5e902900c840d4e64dd7be96981f1d220f
                                                                                                                                                                                                                        • Instruction ID: 36e3947c8b4f4d0c78ee363cd4cec3a4eba5e366dd2746c6bb91a5f516f7f2c3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47532edffdc485e4fda10b4afa671e5e902900c840d4e64dd7be96981f1d220f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF413930A0424CEFDB11DBA4D846BAD7BF5EF08310F6785A9E90897291D7B09E84CB61
                                                                                                                                                                                                                        Function 00DF3000 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000DF3000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00DF3000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_df3000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 97157b03a8e4c0f99a91fa3656d51235fd433b626bbec081894fcfb084bc6e00
                                                                                                                                                                                                                        • Instruction ID: 947f1ba434e611d68ebadbea5f4c7348b84a5cf4ec83205c8222c43c47333ab8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 97157b03a8e4c0f99a91fa3656d51235fd433b626bbec081894fcfb084bc6e00
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2417034A04288EFDB05DF68D891AADB7F6EB49300F2685E6E915DB352C7309E41DB20
                                                                                                                                                                                                                        Function 01340A74 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001340000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1340000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 6cab3d4c3fe4f794fe07671c72c153b92f6fede23f0978f519e548e8880f0667
                                                                                                                                                                                                                        • Instruction ID: 3825e4205a15ce062d61862d12663c304c7e3ee00209b0b1fbdb03f98c437e77
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6cab3d4c3fe4f794fe07671c72c153b92f6fede23f0978f519e548e8880f0667
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23314835704204EFE719CF68D855FA9BBF5EB49718F6244E5F90497751D730AE00CA24
                                                                                                                                                                                                                        Function 00DF3DDE Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000DF3000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00DF3000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_df3000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: d0099e7bdef5e14c992019bb7552e8d5bb65ad29f4443944764678beb9faf764
                                                                                                                                                                                                                        • Instruction ID: 0272e22f292fce7c5fb0122423440e1b8f4dea9081bca41f2e16d051465390ef
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0099e7bdef5e14c992019bb7552e8d5bb65ad29f4443944764678beb9faf764
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4316B30A0824CEFDB11DBA4D846AAEB7F5EF04310F6785B5E90497252D7B09F44CB60
                                                                                                                                                                                                                        Function 01340E78 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001340000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1340000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: dea9727751d4f872909cc4743219183cac13db417bce50cdcc7f952d3428fe94
                                                                                                                                                                                                                        • Instruction ID: e8693b44ef0ba4c1064db17c7341233512f99659e1a5561efe0de4842c876bbe
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dea9727751d4f872909cc4743219183cac13db417bce50cdcc7f952d3428fe94
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34211F38704208EFCB00DFA8C484D99B7F4EF49314B2181E5E905DB322DB31AD46CB41
                                                                                                                                                                                                                        Function 01340D60 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001340000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1340000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: c3e2c3d130acde5bded5d3daca8e46a3604efea4ccbb71ff0e66625491e0cd13
                                                                                                                                                                                                                        • Instruction ID: beadff42d72c88798e3b917359085f23c6298362b88e61bf191673e96e8a7022
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3e2c3d130acde5bded5d3daca8e46a3604efea4ccbb71ff0e66625491e0cd13
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7114C30344A418FD768EB3C8550BDABBE5AF8A388F044469FAC9DB312C731B849C791
                                                                                                                                                                                                                        Function 00FF8D2C Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FF8000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ff8000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 81948fb07ea46076df47939e4d292350c83f6c70c3d778978e75f0cd6fa9b20d
                                                                                                                                                                                                                        • Instruction ID: e06d179c69d90d96f6a63339a3dca7a05f1e867e723b0bc926ebf86696e1e1a2
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81948fb07ea46076df47939e4d292350c83f6c70c3d778978e75f0cd6fa9b20d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6E02273B005881BC210E25E6C81FEAB789DFC57F0F0C0131FA08CB381D9234C4692A6
                                                                                                                                                                                                                        Function 00DF3EF5 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000DF3000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00DF3000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_df3000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e34f78ad39925a6676321144dd707be3535d0a92881bc57d46e3a37415dc79d0
                                                                                                                                                                                                                        • Instruction ID: 9b74424308de2a8059daab5496dbc5c880053b1bf2652765c2de84868ac80696
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e34f78ad39925a6676321144dd707be3535d0a92881bc57d46e3a37415dc79d0
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66F0A030E08148EADB05E7B0E102BAEB7F19F40310F7688E5E80593282DA70DE858271
                                                                                                                                                                                                                        Function 01340E1A Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001340000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1340000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 39b182f17f5041c68340af387088dce2e8861de485bfd3c682642c1130410258
                                                                                                                                                                                                                        • Instruction ID: 380b9c3a22369b755b1578df5d56c6bfb43df9b0cf5e980b08acd75da10de358
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39b182f17f5041c68340af387088dce2e8861de485bfd3c682642c1130410258
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8E0DF60300B611BE73424BC49C0BF711C88B00B1CF080578BB4DC9202CAAAEED44311
                                                                                                                                                                                                                        Function 00F8CF30 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000F8C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F8C000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_f8c000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b88722f0aa4043ea1fa5bcbd1a3398404f825a527383b20617729ee4bdc960dc
                                                                                                                                                                                                                        • Instruction ID: ded835d3bdf1a0fd1788ff675e9057958a693e43c907f87e67355d843c6385c3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b88722f0aa4043ea1fa5bcbd1a3398404f825a527383b20617729ee4bdc960dc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5B092A225C2107CB91E22526D83CBA32E9D9C1B11B2288DEF54084CD0AFD11880E2B2
                                                                                                                                                                                                                        Function 00F8CF18 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000F8C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F8C000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_f8c000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8f98b2d89f476d17049841888ab8cf2396c07ce972ec4a082dd0b62700f699c7
                                                                                                                                                                                                                        • Instruction ID: 5ebcef3cb0703229807294a4d87ee7ed1fc74ca6bacedaad8e15d5004c6ffab1
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f98b2d89f476d17049841888ab8cf2396c07ce972ec4a082dd0b62700f699c7
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0AB09BA125C2107C751D22515D43CB531D9C9C1B11B1184DDF54444C905FD11441F171
                                                                                                                                                                                                                        Function 01340E64 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001340000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1340000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 276477d35d940d8837fbf1af46a8442e2ab0a5388a8a43947641e8f2f6b818c4
                                                                                                                                                                                                                        • Instruction ID: fcb5369b2dbd4e4244ba5b45ad8b47640ea6ed1b3b5c9e8b0c3064dbadbdda93
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 276477d35d940d8837fbf1af46a8442e2ab0a5388a8a43947641e8f2f6b818c4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CDC09270700204CFDB58FF7CC9C9A823BF4AB4820971480A0AA09CB2ABE7B0DC94CB40
                                                                                                                                                                                                                        Function 00F8CF03 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000F8C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F8C000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_f8c000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b77a0732d3c6e774228ccf4221bca692c8db2d128e9db62c622b5d33abdb225c
                                                                                                                                                                                                                        • Instruction ID: 4d4a8fe26a39dbb354d604f4ffcb6647fed5d8dfd2576f5db8b1e3e1a5c8f549
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b77a0732d3c6e774228ccf4221bca692c8db2d128e9db62c622b5d33abdb225c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99B0922120D3D01DD62F23A029A24A83BE08C83210B1A04DAE4C08A5A29E411082D252
                                                                                                                                                                                                                        Function 00FF8C84 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FF8000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ff8000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: ece824149a976f0be7aa823cfae3d6b3b8c5d121f86fed4468d886b46952911c
                                                                                                                                                                                                                        • Instruction ID: adee8880be86d578d1361a82603c8237f1c7a8acd9e0851c3ce4e35af612179e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ece824149a976f0be7aa823cfae3d6b3b8c5d121f86fed4468d886b46952911c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58B0923600020C7A8A012AC5D8018497B19AB50260B408011B90808022A632A6A4B698
                                                                                                                                                                                                                        Function 00C59AAA Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000C59000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C59000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_c59000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: c8c2ac574abf55ae21cbf6035824376078acdc7e53a90bdab73b1b59692627a7
                                                                                                                                                                                                                        • Instruction ID: dcab931c4a539a2eadd99cff47283e157d11fd23f3196920210e5ae52d992c9a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8c2ac574abf55ae21cbf6035824376078acdc7e53a90bdab73b1b59692627a7
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6BB001747001158F9F80DB28C688905B7E1BF8932131583E0A409CB336DA30EC85CF81
                                                                                                                                                                                                                        Function 00FF9BBF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000FF8000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FF8000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ff8000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 478f410146413648341e8936528a27955cee7fad26bed8f5d055f4a05c08cb4c
                                                                                                                                                                                                                        • Instruction ID: ec8c630dbb8dcb916fa40d63340fcb9b6b6c7c15d6c7aa9d2505734567ee7d94
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 478f410146413648341e8936528a27955cee7fad26bed8f5d055f4a05c08cb4c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54A0113020800A8E8A00BB20C80A820F3A0BE003083A000E0A0880A0228B2AA800CB80

                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                        Function 0101C8E8 Relevance: 15.2, Strings: 12, Instructions: 159COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        • font-size: 100%;, xrefs: 0101C94A
                                                                                                                                                                                                                        • font-family: Courier New, monospace;, xrefs: 0101C940
                                                                                                                                                                                                                        • font-size: 130%;, xrefs: 0101C972
                                                                                                                                                                                                                        • body {, xrefs: 0101C936
                                                                                                                                                                                                                        • margin: 0px 0px 0px 0px;, xrefs: 0101C97C
                                                                                                                                                                                                                        • display: none;, xrefs: 0101C99A
                                                                                                                                                                                                                        • <style type="text/css">, xrefs: 0101C92C
                                                                                                                                                                                                                        • textarea {, xrefs: 0101C990
                                                                                                                                                                                                                        • background-color: #FFFFFF;, xrefs: 0101C954
                                                                                                                                                                                                                        • </title>, xrefs: 0101C922
                                                                                                                                                                                                                        • h1 {, xrefs: 0101C968
                                                                                                                                                                                                                        • <head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="copyright" content="TektonIT" /><meta na, xrefs: 0101C90F
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.000000000101C000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0101C000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_101c000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: </title>$<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="copyright" content="TektonIT" /><meta na$<style type="text/css">$background-color: #FFFFFF;$body {$display: none;$font-family: Courier New, monospace;$font-size: 100%;$font-size: 130%;$h1 {$margin: 0px 0px 0px 0px;$textarea {
                                                                                                                                                                                                                        • API String ID: 0-3743830688
                                                                                                                                                                                                                        • Opcode ID: 7771e5f21586e27c3c58cf2cb974dff15bd3062b03331c6c646dd447aaed38db
                                                                                                                                                                                                                        • Instruction ID: e9894869c550396121f2171ca85b6794fec6eac086109b4d59f00795884da224
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7771e5f21586e27c3c58cf2cb974dff15bd3062b03331c6c646dd447aaed38db
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03414120BC8340BEB20175D39F4BEA76FB1A3A8E55F80455CB0D6BD98F95EDE5105208
                                                                                                                                                                                                                        Function 01A1615C Relevance: 6.4, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000001A16000.00000020.00000001.01000000.0000000D.sdmp, Offset: 01A16000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_1a16000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: closed_by_user$error_code$network_load$ra_session_id$show_duration_in_sec
                                                                                                                                                                                                                        • API String ID: 0-946321287
                                                                                                                                                                                                                        • Opcode ID: 562e3baa56fe4268ceba09880e787c2d7c03868ce29d3a9e66d7ebb9f9a13df5
                                                                                                                                                                                                                        • Instruction ID: 06464dbe64cffce7df563c7ea55af747890a585d254a26df8bdf2fd8ffc13ff3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 562e3baa56fe4268ceba09880e787c2d7c03868ce29d3a9e66d7ebb9f9a13df5
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CC61E534A10209DFCB44EFA8C5859DDBBF5FF49304F6044A9E805AB266DB70AE4ACF51
                                                                                                                                                                                                                        Function 00C59594 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000C59000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C59000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_c59000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: END$INHERITED$INLINE$OBJECT
                                                                                                                                                                                                                        • API String ID: 0-4145825852
                                                                                                                                                                                                                        • Opcode ID: 324297a30e272204d8d61b688e81ab215db4f381aefa5cbcb27b7149666a29a6
                                                                                                                                                                                                                        • Instruction ID: 607a9baf09172dda785db6abc157b5b0211b42ba631435ca4ebba8ab01adb726
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 324297a30e272204d8d61b688e81ab215db4f381aefa5cbcb27b7149666a29a6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1921666C208204CBCF10EF6CD481A9AB3D2DF59356B648594FC848B346CE36D9CE9B6C
                                                                                                                                                                                                                        Function 00C59593 Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000011.00000002.3309111611.0000000000C59000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00C59000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_c59000_rutserv.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: END$INHERITED$INLINE$OBJECT
                                                                                                                                                                                                                        • API String ID: 0-4145825852
                                                                                                                                                                                                                        • Opcode ID: eb18538b5bdfc9580446b551f1ba7937693af74c71a982e8835b64e4b058cf31
                                                                                                                                                                                                                        • Instruction ID: af93ceafdab0245813e779916363aa6bb16cf4d65d515c4ed8c56415681c5f89
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb18538b5bdfc9580446b551f1ba7937693af74c71a982e8835b64e4b058cf31
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA11596C208100CBDF10EF6CD88169AB3D2DF59356B648294FC945B346CE32D9CE9B58

                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                        Execution Coverage:8.9%
                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                        Total number of Nodes:26
                                                                                                                                                                                                                        Total number of Limit Nodes:2
                                                                                                                                                                                                                        execution_graph 1434 db3ce8 1435 db3cee 1434->1435 1438 db3d20 1435->1438 1439 db3d26 1438->1439 1442 db3dbc 1439->1442 1441 db3d05 1443 db3dcd 1442->1443 1444 db3e1b 1443->1444 1447 c7af00 1443->1447 1451 c7aefe 1443->1451 1448 c7af1d CreateThread 1447->1448 1450 c7af65 1448->1450 1450->1444 1452 c7af00 CreateThread 1451->1452 1454 c7af65 1452->1454 1454->1444 1455 14ab75f 1456 14ab74e CloseHandle 1455->1456 1456->1455 1457 14ab6c0 CreateFileW 1458 14ab6fb 1457->1458 1459 14ab70c 1457->1459 1460 14ab74e CloseHandle 1459->1460 1460->1459 1461 c7aec8 1462 c7aed0 1461->1462 1463 c7aef2 1462->1463 1465 c7af78 1462->1465 1466 c7af84 1465->1466 1467 c7af8c RtlExitUserThread 1465->1467 1466->1467 1467->1463

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 014AB6C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateFileW.KERNELBASE(\\.\PIPE\RManFUSServerNotify32,40000000,00000003,00000000,00000003,00000000,00000000,00000000,014AB75A), ref: 014AB6ED
                                                                                                                                                                                                                        • CloseHandle.KERNELBASE(000000FF,014AB761), ref: 014AB752
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        • Error - NotifyServer - WriteFile, xrefs: 014AB737
                                                                                                                                                                                                                        • \\.\PIPE\RManFUSServerNotify32, xrefs: 014AB6E8
                                                                                                                                                                                                                        • Error - CreateFile, xrefs: 014AB6FB
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.00000000014AB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 014AB000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_14ab000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CloseCreateFileHandle
                                                                                                                                                                                                                        • String ID: Error - CreateFile$Error - NotifyServer - WriteFile$\\.\PIPE\RManFUSServerNotify32
                                                                                                                                                                                                                        • API String ID: 3498533004-2744967546
                                                                                                                                                                                                                        • Opcode ID: 1c06f164e7bfac941265f978309c8c30b659cdc108b452f25464e87775c84d1e
                                                                                                                                                                                                                        • Instruction ID: b134e59efadaca5ef201a66e1b09eafc3c69030c1df1caae61c1a17242112cc1
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c06f164e7bfac941265f978309c8c30b659cdc108b452f25464e87775c84d1e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70110478A40304BFE711EBF9DC02B5D7BB8EB58710FA24566FA10D72E0D6B05A009B25
                                                                                                                                                                                                                        Function 00C7AF00 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 14 c7af00-c7af1b 15 c7af1d-c7af29 14->15 16 c7af2b-c7af39 14->16 19 c7af3c-c7af63 CreateThread 15->19 16->19 20 c7af65 19->20 21 c7af6c-c7af74 19->21 20->21
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateThread.KERNEL32(?,?,Function_00000EC8,00000000,?,?), ref: 00C7AF5A
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.0000000000C7A000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C7A000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_c7a000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateThread
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                                                                                                        • Opcode ID: 95578fd014d7839bc5151dcbd12c607cbbd543ec206d5883973568f93e61ffeb
                                                                                                                                                                                                                        • Instruction ID: c6c1a9bc3ca728e62cab5351cd93ad2d99c5a5d9e0363cb126c38831fcb8ada0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95578fd014d7839bc5151dcbd12c607cbbd543ec206d5883973568f93e61ffeb
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56018FB2A05214AFCB11DEDDA880A8EB7ECAB48361F10C026F91CDB381D6719D0187A1
                                                                                                                                                                                                                        Function 00C7AEFE Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 22 c7aefe-c7af1b 24 c7af1d-c7af29 22->24 25 c7af2b-c7af39 22->25 28 c7af3c-c7af63 CreateThread 24->28 25->28 29 c7af65 28->29 30 c7af6c-c7af74 28->30 29->30
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateThread.KERNEL32(?,?,Function_00000EC8,00000000,?,?), ref: 00C7AF5A
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.0000000000C7A000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C7A000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_c7a000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateThread
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                                                                                                        • Opcode ID: df2ca43f99ab5eb04f711263cfb11bc25c89e91abdcbbb6086b7acc7e0b1ada0
                                                                                                                                                                                                                        • Instruction ID: 0fac4eaff1fdfffd52fe898a58d95f154bc80a9bcd5d4c67019ff20b5db04f45
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df2ca43f99ab5eb04f711263cfb11bc25c89e91abdcbbb6086b7acc7e0b1ada0
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1BF0C2B2B05214AFCB11DADDAC80A9EB7ECDB48361F108026F91CD7381D771DD0187A4
                                                                                                                                                                                                                        Function 00C7AF78 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 31 c7af78-c7af82 32 c7af84 31->32 33 c7af8c-c7af93 RtlExitUserThread 31->33 32->33
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.0000000000C7A000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C7A000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_c7a000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ExitThreadUser
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3424019298-0
                                                                                                                                                                                                                        • Opcode ID: 65cf1ab015ee73eaf2a80b3c78a7a4f5977744a29164e6774c9c7dced1944c96
                                                                                                                                                                                                                        • Instruction ID: 7490f4f1bcf81b8c2ebbcad54935b474ea39e3870a4ea77307b2f2f5d736a4ab
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65cf1ab015ee73eaf2a80b3c78a7a4f5977744a29164e6774c9c7dced1944c96
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5AC048E12027008BCB36ABB9A88871A62A86788202F059828F50B96177C7BC9884D710
                                                                                                                                                                                                                        Function 014AB75F Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 50 14ab75f 51 14ab74e-14ab757 CloseHandle 50->51 51->50
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CloseHandle.KERNELBASE(000000FF,014AB761), ref: 014AB752
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.00000000014AB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 014AB000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_14ab000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                        • Opcode ID: 236c79e1a1763148c4404337020ceded8e6837527dbd39c958730d13fa1e11c0
                                                                                                                                                                                                                        • Instruction ID: c187e7d9c697131c4c5c61678a668a029bb613a6096a4357771017da8262d57a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 236c79e1a1763148c4404337020ceded8e6837527dbd39c958730d13fa1e11c0
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76A0222A808203FE8A00F3E0880282C23388A0C2A8BB80C02F203C2000C238AE00A338
                                                                                                                                                                                                                        Function 00DB3DBC Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 52 db3dbc-db3dcb 53 db3dcd 52->53 54 db3dd5-db3dfe 52->54 53->54 56 db3e00-db3e04 54->56 57 db3e06-db3e08 54->57 56->57 58 db3e0a 56->58 59 db3e0c-db3e13 57->59 58->59 60 db3e8f-db3e9c 59->60 61 db3e15-db3e19 59->61 69 db3e9f-db3ea7 60->69 62 db3e1b-db3e37 61->62 63 db3e39-db3e47 61->63 68 db3e51-db3e55 62->68 79 db3e49 call c7af00 63->79 80 db3e49 call c7aefe 63->80 65 db3e4e 65->68 68->69 70 db3e57-db3e8d 68->70 71 db3eac-db3ebc 69->71 70->69 79->65 80->65
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.0000000000DB3000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00DB3000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_db3000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: dd75a94553d92c3417ebdb905a42fe36447683c7a96bf5eb51d4f5fc775c79db
                                                                                                                                                                                                                        • Instruction ID: 8c96232b1f800000c04e22a46d561b25e45e7cdf24e90b33959c415cd209d42e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd75a94553d92c3417ebdb905a42fe36447683c7a96bf5eb51d4f5fc775c79db
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5531B670904744EED721EBB588417EB7BE59F49300F04C92EF4AADB281D730EA44E765
                                                                                                                                                                                                                        Function 00DB3C26 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 81 db3c26-db3c5c 84 db3c5e-db3c6f 81->84 85 db3c93-db3c9b 81->85 87 db3c74-db3c7c 84->87 86 db3ca0-db3cc2 call db3914 85->86 91 db3ccc-db3cdb 86->91 92 db3cc4 86->92 87->85 91->86 92->91
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.0000000000DB3000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00DB3000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_db3000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 3912ba4ae31d0636156d32b9cfc79047ab653e1b4539ebe6f5ad5533f7c6b4a8
                                                                                                                                                                                                                        • Instruction ID: 3261f7dad094bf204fbd32c71bb7b361ca882157ae67d0f4427e864669973f8d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3912ba4ae31d0636156d32b9cfc79047ab653e1b4539ebe6f5ad5533f7c6b4a8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B118B70608644EFD701DFA9C9199ADBBF8EB4A710B6284E0F801A7712C730AE00EA60
                                                                                                                                                                                                                        Function 00DB3C28 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 95 db3c28-db3c5c 97 db3c5e-db3c6f 95->97 98 db3c93-db3c9b 95->98 100 db3c74-db3c7c 97->100 99 db3ca0-db3cc2 call db3914 98->99 104 db3ccc-db3cdb 99->104 105 db3cc4 99->105 100->98 104->99 105->104
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.0000000000DB3000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00DB3000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_db3000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 31454a926e9c3c53e96a7856cd69ea000d7e8450514564469cc1379c47ccbeb0
                                                                                                                                                                                                                        • Instruction ID: 3b9c565111446d8c4bf89462e304ff00d601a3199e3d723d7c2b614cedd9d72d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 31454a926e9c3c53e96a7856cd69ea000d7e8450514564469cc1379c47ccbeb0
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75119D70608644EFD701DFA5C91999DBBF8EF4A710F6284E0F801A7712C730AF00EA60
                                                                                                                                                                                                                        Function 00DB3D20 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 123 db3d20-db3d24 124 db3d2e-db3d41 call db3dbc 123->124 125 db3d26 123->125 128 db3d43 124->128 129 db3d52-db3d56 124->129 125->124 130 db3d48-db3d4f 128->130 130->129
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.0000000000DB3000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00DB3000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_db3000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 599f5e932973f66a16ee734b73f26a54a60d76c27190859f49bffc15f9c6b975
                                                                                                                                                                                                                        • Instruction ID: a4743c0c6fbb62951f792c58f4587bbd65552351a794a23ff21e1c762ffee0c4
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 599f5e932973f66a16ee734b73f26a54a60d76c27190859f49bffc15f9c6b975
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44D05E5274292087D11463AD5D827E56659CF81AE2F0C8130B95ACB395EA168E1922F6
                                                                                                                                                                                                                        Function 010CBD5C Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 136 10cbd5c-10cbd64 137 10cbd4c 136->137 138 10cbd56-10cbd5b 137->138
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.00000000010CB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 010CB000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_10cb000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: d5157fc25c8b96b8477d59aa28ded9c214125e248d060ae81444e2a53f154019
                                                                                                                                                                                                                        • Instruction ID: f8b122f00853f661586d78e289baac2877870714e143fabd7ff4574652550635
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d5157fc25c8b96b8477d59aa28ded9c214125e248d060ae81444e2a53f154019
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BB09BE155CA00EC650736525D87C7D5269D580E55F14411DF0414D041AD511441697A
                                                                                                                                                                                                                        Function 010CBD74 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 139 10cbd74-10cbd7c 141 10cbd56-10cbd5b 139->141
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000013.00000002.3296607426.00000000010CB000.00000020.00000001.01000000.0000000B.sdmp, Offset: 010CB000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_19_2_10cb000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 271351877264c0f967eb4cd8ac850a9532f7db43233d3006a8554e66d9b58f6a
                                                                                                                                                                                                                        • Instruction ID: 9a8583b5f40a157a97297cb9108cb814cfcf5c604fab5e8aa94ff614981d0201
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 271351877264c0f967eb4cd8ac850a9532f7db43233d3006a8554e66d9b58f6a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EFB09BE155C600EC650736525C87C3D52A9E581E55F14411EF0414D041BD505440697A

                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                        Execution Coverage:8.7%
                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                        Total number of Nodes:75
                                                                                                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                                                                                                        execution_graph 2189 f23950 2190 f23956 2189->2190 2191 f2383c DispatchMessageW 2190->2191 2192 f23963 2190->2192 2191->2190 2143 c79e84 2144 c79e90 2143->2144 2147 c79e50 2144->2147 2152 c79ab4 2147->2152 2149 c79e5b 2150 c79e7e 2149->2150 2151 c79ab4 Sleep 2149->2151 2151->2149 2155 c79864 2152->2155 2154 c79ac8 2154->2149 2156 c7986d 2155->2156 2157 c7988b 2156->2157 2159 c797d0 2156->2159 2157->2154 2161 c797da 2159->2161 2160 c79811 2160->2156 2161->2160 2162 c79834 Sleep 2161->2162 2162->2160 2198 1155efd 2199 1155f0a CoUninitialize 2198->2199 2133 1155f1f 2134 1155f0a CoUninitialize 2133->2134 2134->2133 2163 c79a8c 2164 c79a9b 2163->2164 2167 c79b38 2164->2167 2166 c79ab0 2168 c79b46 2167->2168 2169 c797d0 Sleep 2168->2169 2170 c79b94 2168->2170 2169->2168 2170->2166 2178 c79e2c 2179 c79e38 2178->2179 2182 c79e10 2179->2182 2183 c79ab4 Sleep 2182->2183 2184 c79e16 2183->2184 2185 f23bde 2188 f23be0 2185->2188 2186 f23ce1 2187 f23968 DispatchMessageW 2187->2188 2188->2186 2188->2187 2171 c79ea8 2172 c79864 Sleep 2171->2172 2173 c79ebd 2172->2173 2174 c79a68 2175 c79a74 2174->2175 2176 c79b38 Sleep 2175->2176 2177 c79a8a 2176->2177 2114 f234a0 2115 f234b4 2114->2115 2116 f234c8 SetWindowTextW 2115->2116 2117 f234d8 2115->2117 2116->2117 2118 f23be0 2120 f23c0c 2118->2120 2119 f23ce1 2120->2119 2122 f23968 2120->2122 2125 f2383c 2122->2125 2124 f23977 2124->2120 2127 f23855 2125->2127 2126 f23936 2126->2124 2127->2126 2128 f2392e DispatchMessageW 2127->2128 2128->2126 2129 c797d0 2131 c797da 2129->2131 2130 c79811 2131->2130 2132 c79834 Sleep 2131->2132 2132->2130 2139 f23cc5 2140 f23ca0 2139->2140 2141 f23968 DispatchMessageW 2140->2141 2142 f23ce1 2140->2142 2141->2140 2142->2142 2136 1155e68 2137 1155e7a CreateFileW 2136->2137 2138 1155eaa 2137->2138 2193 c79f18 2194 c79fb7 2193->2194 2195 c79f30 2193->2195 2196 c79864 Sleep 2195->2196 2197 c79f3b 2196->2197

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 00C797D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53sleepCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 0 c797d0-c797d8 1 c797e3-c797e6 0->1 2 c797da-c797e1 0->2 4 c797ef 1->4 5 c797e8-c797ed 1->5 2->1 3 c79844-c7984d call c79898 2->3 8 c79852-c79857 3->8 7 c797f1-c7980f 4->7 5->7 9 c79811-c79818 7->9 10 c7981a-c79832 7->10 13 c7985f-c79860 8->13 14 c79859 8->14 9->8 11 c79834-c7983b Sleep 10->11 12 c7983d-c79842 10->12 11->8 12->8 14->13
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000000,?,00C79889,?,?,00C79AC8), ref: 00C79836
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000014.00000002.3296052922.0000000000C79000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C79000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_20_2_c79000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Sleep
                                                                                                                                                                                                                        • String ID: gfff$gfff
                                                                                                                                                                                                                        • API String ID: 3472027048-3084402119
                                                                                                                                                                                                                        • Opcode ID: e7e8485e0fd0765abcc20c6a60cc348a46adec81a15d590179472883e54d1a3a
                                                                                                                                                                                                                        • Instruction ID: 83140354efae8d6797218a03fb22dbb52e6a069f57c437d65e72c2f3992253aa
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7e8485e0fd0765abcc20c6a60cc348a46adec81a15d590179472883e54d1a3a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 510186717005118BDB6CAD3EA8917282697F783305F94C239E51ECE2CADAB59945A343
                                                                                                                                                                                                                        Function 00F2383C Relevance: 1.6, APIs: 1, Instructions: 105windowCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 35 f2383c-f23857 37 f23945-f2394c 35->37 38 f2385d-f23861 35->38 39 f23863-f2386b 38->39 40 f23871 38->40 39->40 45 f2386d-f2386f 39->45 41 f23873-f2387c 40->41 43 f23894-f238a7 41->43 44 f2387e-f23892 41->44 48 f238a8-f238aa 43->48 44->48 45->41 48->37 49 f238b0-f238b6 48->49 50 f2393e 49->50 51 f238bc-f238c8 49->51 50->37 52 f238da-f238e5 51->52 53 f238ca-f238ce 51->53 52->37 55 f238e7-f238f2 call f236d8 52->55 53->52 55->37 58 f238f4-f238f8 55->58 58->37 59 f238fa-f23905 call f23590 58->59 59->37 62 f23907-f23912 call f235e0 59->62 62->37 65 f23914-f2391f call f23548 62->65 65->37 68 f23921-f2392c 65->68 70 f23936-f2393c 68->70 71 f2392e-f23934 DispatchMessageW 68->71 70->37 71->37
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • DispatchMessageW.USER32(?,?,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00F2392F
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000014.00000002.3296052922.0000000000F23000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F23000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_20_2_f23000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: DispatchMessage
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 2061451462-0
                                                                                                                                                                                                                        • Opcode ID: f8689f47a30c8dc3a81985e1a6c86b74fb7905ddf96155da81c26318c978e409
                                                                                                                                                                                                                        • Instruction ID: 19d59b4667614b7676a981fd1d87dafd66da4631d437ac6b19b35f8239cc894c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8689f47a30c8dc3a81985e1a6c86b74fb7905ddf96155da81c26318c978e409
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 722141A1B4435036EA3135292C42BBE77874F93F64F144019F5819B182CAED9D46B326
                                                                                                                                                                                                                        Function 01155E68 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 73 1155e68-1155ea8 CreateFileW 75 1155eb1-1155ec5 73->75 76 1155eaa-1155eaf 73->76 78 1155eca-1155ee2 75->78 79 1155f21-1155f24 76->79 81 1155ee4-1155ee8 78->81 82 1155ef3 78->82 81->82 83 1155eea-1155eed 81->83 82->79 83->82
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateFileW.KERNELBASE(01155F28,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,01155F1A), ref: 01155E9C
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000014.00000002.3296052922.0000000001155000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01155000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_20_2_1155000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                        • Opcode ID: e9f650c551bca76257a6e4f93197258e443578192141a3be08ffed509391d1ca
                                                                                                                                                                                                                        • Instruction ID: 724e9c6f40b5dbe9099f2499569c5fde1e277c5509c669e355c0f9df8a918aea
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9f650c551bca76257a6e4f93197258e443578192141a3be08ffed509391d1ca
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E110830644304FFE7A99BA8DC16F5CBBB4EB09B20F2145A5F930A66D0DB706940E616
                                                                                                                                                                                                                        Function 00F234A0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 84 f234a0-f234b4 86 f234b6-f234bd 84->86 87 f234f9-f234fc 84->87 88 f234bf-f234c6 86->88 89 f234ec-f234f2 86->89 90 f234d8-f234e6 88->90 91 f234c8-f234d6 SetWindowTextW 88->91 89->87 90->89 91->89
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00F234D1
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000014.00000002.3296052922.0000000000F23000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F23000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_20_2_f23000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: TextWindow
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 530164218-0
                                                                                                                                                                                                                        • Opcode ID: 6d2c2957dbb299073f95a2d6050d4ab237cf5d545e63552985fa721db800645d
                                                                                                                                                                                                                        • Instruction ID: 40d1e2d9202a7fb67f9b8fc2ea161c37f368e76495249c873059291dbc21a698
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d2c2957dbb299073f95a2d6050d4ab237cf5d545e63552985fa721db800645d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2F030A57001201ADB13FA5894C9BEA27E89F85724F0C40F6FE0D9F247C7698E01A365
                                                                                                                                                                                                                        Function 01155EFD Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 93 1155efd-1155f05 94 1155f0a-1155f17 CoUninitialize 93->94 96 1155f1f 94->96 96->94
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000014.00000002.3296052922.0000000001155000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01155000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_20_2_1155000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Uninitialize
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3861434553-0
                                                                                                                                                                                                                        • Opcode ID: 9e23a74572e9b4d06d1ca6d20aaac1a85e95e589ecff291dfe75491a171deba1
                                                                                                                                                                                                                        • Instruction ID: aec7877008b78f138c3aa8242c0b729c7a544fe1d44a78357c780ffdb4a2a8a6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e23a74572e9b4d06d1ca6d20aaac1a85e95e589ecff291dfe75491a171deba1
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5C09B7224C141DFA349EB95B91345C77D1D7847603314C77F401C5551DB245D00953E
                                                                                                                                                                                                                        Function 01155F1F Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 97 1155f1f 98 1155f0a 97->98 99 1155f12-1155f17 CoUninitialize 98->99 99->97
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000014.00000002.3296052922.0000000001155000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01155000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_20_2_1155000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Uninitialize
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID: 3861434553-0
                                                                                                                                                                                                                        • Opcode ID: 74d70c5535d973b0ccbeda4e5a098e924a55d675ccdf0dad7df82c4f5eeefdd4
                                                                                                                                                                                                                        • Instruction ID: ea6692fae82d4931cc5355306cf587cdbc63c588e201a4fe0a49e2dc0ffb5b47
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74d70c5535d973b0ccbeda4e5a098e924a55d675ccdf0dad7df82c4f5eeefdd4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4EA0022158A097FF8788F7A5D55349CB7629E087907394D62F493D5433CB24AE40A53B
                                                                                                                                                                                                                        Function 00F87F48 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 209 f87f48-f87f9b 210 f87fa3-f87fad 209->210 212 f87faf-f87fbc 210->212 213 f87fc1-f87fef 210->213 212->213
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000014.00000002.3296052922.0000000000F87000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F87000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_20_2_f87000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8ff4a9e3ef08ab09c00f06281effb68458011349d6b02c7450af61b9eff3111d
                                                                                                                                                                                                                        • Instruction ID: 7171d1902b78f0c0d0ebb6054cef81d9df8056d00087b5133464f4ddd875cd83
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ff4a9e3ef08ab09c00f06281effb68458011349d6b02c7450af61b9eff3111d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98113734600304EFD711DF68C955F99BBF9EB0A740FA244E0F8049B662CB75AD15EB61
                                                                                                                                                                                                                        Function 00F878B8 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000014.00000002.3296052922.0000000000F87000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F87000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_20_2_f87000_rfusclient.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 7f5fb9902847bde12a1817a2f9fd72b54f7da068455841462ae149435e8e5b14
                                                                                                                                                                                                                        • Instruction ID: a5e0f0e92e87f6f0ae1aa2f22597ad7a4eb5512e3184f87869af3e6815725d34
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f5fb9902847bde12a1817a2f9fd72b54f7da068455841462ae149435e8e5b14
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DDB0123600010CB78F017E81FC01C8A7F1DEB10360B00C015F9080812286339570ABB4